"Company Confidential
Report generated from {3} on JERRYWOLFF-MS-L {0} by {1}\{2} as a scheduled task

Please contact with any questions "12/13/2022 13:52:29",NORTHAMERICA,jerrywolff
SubscriptionIdResourceGroupResourceTypeResourceTagsResourceLocationIsCompliantComplianceStateEffectiveParametersResourceIdResourcePolicySetDefinitionVersionPolicySetDefinitionParametersPolicySetDefinitionOwnerPolicySetDefinitionNamePolicySetDefinitionIdPolicySetDefinitionCategoryPolicyEvaluationDetailsPolicyDefinitionVersionPolicyDefinitionReferenceIdPolicyDefinitionNamePolicyDefinitionIdPolicyDefinitionGroupNamesPolicyDefinitionCategoryPolicyDefinitionActionPolicyAssignmentVersionPolicyAssignmentScopePolicyAssignmentParametersPolicyAssignmentOwnerPolicyAssignmentNamePolicyAssignmentIdPolicyDescriptionPolicyCategoryPolicyDisplayName
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0emailnotificationtosubscriptionownerforhighseverityalertsshouldbeenabledmonitoringeffect0b15565f-aa9e-48ba-8619-45960f2c314d/providers/microsoft.authorization/policydefinitions/0b15565f-aa9e-48ba-8619-45960f2c314dazure_security_benchmark_v3.0_ir-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.Security CenterEmail notification to subscription owner for high severity alerts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderfordnsshouldbeenabledmonitoringeffectbdc59948-5574-49b3-bb91-76b7c986428d/providers/microsoft.authorization/policydefinitions/bdc59948-5574-49b3-bb91-76b7c986428dSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .Security CenterAzure Defender for DNS should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3virtualmachinesadvancedthreatprotectionmonitoringeffect4da35fc9-c9e7-4960-aec9-797fe7d9051d/providers/microsoft.authorization/policydefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051dSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.Security CenterAzure Defender for servers should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforreadpermissionsmonitoringnew81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4/providers/microsoft.authorization/policydefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.Security CenterAccounts with read permissions on Azure resources should be MFA enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforwritepermissionsmonitoringeffect931e118d-50a1-4457-a5e4-78550e086c52/providers/microsoft.authorization/policydefinitions/931e118d-50a1-4457-a5e4-78550e086c52azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.Security CenterAccounts with write permissions on Azure resources should be MFA enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1identityenablemfaforwritepermissionsmonitoring9297c21d-2ed6-4474-b48f-163f75654ce3/providers/microsoft.authorization/policydefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.Security CenterMFA should be enabled for accounts with write permissions on your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforownerpermissionsmonitoringnewe3e008c3-56b9-4133-8fd7-d3347377402a/providers/microsoft.authorization/policydefinitions/e3e008c3-56b9-4133-8fd7-d3347377402aazure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.Security CenterAccounts with owner permissions on Azure resources should be MFA enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityenablemfaforownerpermissionsmonitoringaa633080-8b72-40c4-a2d7-d00c03e80bed/providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bedazure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.Security CenterMFA should be enabled on accounts with owner permissions on your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identitydesignatemorethanoneownermonitoring09024ccc-0c5f-475e-9457-b7c0d9ed487b/providers/microsoft.authorization/policydefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487bazure_security_benchmark_v3.0_pa-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to designate more than one subscription owner in order to have administrator access redundancy.Security CenterThere should be more than one owner assigned to your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identitydesignatelessthanownersmonitoring4f11b553-d42e-4e3a-89be-32ca364cad4c/providers/microsoft.authorization/policydefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4cazure_security_benchmark_v3.0_pa-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.Security CenterA maximum of 3 owners should be designated for your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderforresourcemanagershouldbeenabledmonitoringeffectc3d20c29-b36d-48fe-808b-99a87530ad99/providers/microsoft.authorization/policydefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .Security CenterAzure Defender for Resource Manager should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1autoprovisioningoftheloganalyticsagentshouldbeenabledonyoursubscriptionmonitoringeffect475aae12-b88a-4572-8b36-9b712b2b3a17/providers/microsoft.authorization/policydefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.Security CenterAuto provisioning of the Log Analytics agent should be enabled on your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0containersadvancedthreatprotectionmonitoringeffect1c988dd6-ade4-430f-a608-2a3e5b0a6d38/providers/microsoft.authorization/policydefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMicrosoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.Security CenterMicrosoft Defender for Containers should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3appservicesadvancedthreatprotectionmonitoringeffect2913021d-f2fd-4f3d-b958-22354e2bdbcb/providers/microsoft.authorization/policydefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcbSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.Security CenterAzure Defender for App Service should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3storageaccountsadvanceddatasecuritymonitoringeffect308fbb08-4ab8-4e67-9b29-592e93fb94fa/providers/microsoft.authorization/policydefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94faSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.Security CenterAzure Defender for Storage should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2sqlserversvirtualmachinesadvanceddatasecuritymonitoringeffect6581d072-105e-4418-827f-bd446d56421b/providers/microsoft.authorization/policydefinitions/6581d072-105e-4418-827f-bd446d56421bSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.Security CenterAzure Defender for SQL servers on machines should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2sqlserversadvanceddatasecuritymonitoringeffect7fe3b40f-802b-4cdd-8bd4-fd799c948cc2/providers/microsoft.authorization/policydefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.Security CenterAzure Defender for Azure SQL Database servers should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3keyvaultsadvanceddatasecuritymonitoringeffect0e6763cc-5078-4e64-889d-ff4d9a839047/providers/microsoft.authorization/policydefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.Security CenterAzure Defender for Key Vault should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithreadpermissionsmonitoringnewe9ac8f8e-ce22-4355-8f04-99b911d6be52/providers/microsoft.authorization/policydefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with read permissions on Azure resources should be removed
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithreadpermissionsmonitoring5f76cf89-fbf2-47fd-a3f4-b891fa780b60/providers/microsoft.authorization/policydefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with read permissions should be removed from your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithwritepermissionsmonitoringnew94e1c2ac-cbbe-4cac-a2b5-389c812dee87/providers/microsoft.authorization/policydefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with write permissions on Azure resources should be removed
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithwritepermissionsmonitoring5c607a2e-c700-4744-8254-d77e7c9eb5e4/providers/microsoft.authorization/policydefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with write permissions should be removed from your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithownerpermissionsmonitoringnew339353f6-2387-4a45-abe4-7f529d121046/providers/microsoft.authorization/policydefinitions/339353f6-2387-4a45-abe4-7f529d121046System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with owner permissions on Azure resources should be removed
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremovedeprecatedaccountmonitoringnew8d7e1fde-fe26-4b5f-8108-f8e432cbc2be/providers/microsoft.authorization/policydefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2beazure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.Security CenterBlocked accounts with read and write permissions on Azure resources should be removed
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithownerpermissionsmonitoringf8456c1c-aa66-4dfb-861a-25d127b775c9/providers/microsoft.authorization/policydefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with owner permissions should be removed from your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremovedeprecatedaccountwithownerpermissionsmonitoringnew0cfea604-3201-4e14-88fc-fae4c427a6c5/providers/microsoft.authorization/policydefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.Security CenterBlocked accounts with owner permissions on Azure resources should be removed
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremovedeprecatedaccountwithownerpermissionsmonitoringebb62a0c-3560-49e1-89ed-27e074e9f8ad/providers/microsoft.authorization/policydefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8adSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.Security CenterDeprecated accounts with owner permissions should be removed from your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremovedeprecatedaccountmonitoring6b1cbf55-e8b6-442f-ba4c-7246b6381474/providers/microsoft.authorization/policydefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.Security CenterDeprecated accounts should be removed from your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremovedeprecatedaccountwithownerpermissionsmonitoringnew0cfea604-3201-4e14-88fc-fae4c427a6c5/providers/microsoft.authorization/policydefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.Security CenterBlocked accounts with owner permissions on Azure resources should be removed
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremovedeprecatedaccountmonitoringnew8d7e1fde-fe26-4b5f-8108-f8e432cbc2be/providers/microsoft.authorization/policydefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2beazure_security_benchmark_v3.0_pa-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.Security CenterBlocked accounts with read and write permissions on Azure resources should be removed
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderforopensourcerelationaldatabasesshouldbeenabledmonitoringeffect0a9fbe0d-c5c4-4da8-87d8-f4fd77338835/providers/microsoft.authorization/policydefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-centerSecurity CenterAzure Defender for open-source relational databases should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1emailnotificationforhighseverityalertsshouldbeenabledmonitoringeffect6e2593d9-add6-4083-9c9b-4b7d2188c899/providers/microsoft.authorization/policydefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899azure_security_benchmark_v3.0_ir-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.Security CenterEmail notification for high severity alerts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1subscriptionsshouldhaveacontactemailaddressforsecurityissuesmonitoringeffect4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7/providers/microsoft.authorization/policydefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7azure_security_benchmark_v3.0_ir-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.Security CenterSubscriptions should have a contact email address for security issues
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0containersadvancedthreatprotectionmonitoringeffect1c988dd6-ade4-430f-a608-2a3e5b0a6d38/providers/microsoft.authorization/policydefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMicrosoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.Security CenterMicrosoft Defender for Containers should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1autoprovisioningoftheloganalyticsagentshouldbeenabledonyoursubscriptionmonitoringeffect475aae12-b88a-4572-8b36-9b712b2b3a17/providers/microsoft.authorization/policydefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.Security CenterAuto provisioning of the Log Analytics agent should be enabled on your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0microsoftdefendercspmshouldbeenabledmonitoringeffect1f90fc71-a595-4066-8974-d4d0802e8ef0/providers/microsoft.authorization/policydefinitions/1f90fc71-a595-4066-8974-d4d0802e8ef0System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineDefender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud.Security CenterMicrosoft Defender CSPM should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderfordnsshouldbeenabledmonitoringeffectbdc59948-5574-49b3-bb91-76b7c986428d/providers/microsoft.authorization/policydefinitions/bdc59948-5574-49b3-bb91-76b7c986428dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .Security CenterAzure Defender for DNS should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderforresourcemanagershouldbeenabledmonitoringeffectc3d20c29-b36d-48fe-808b-99a87530ad99/providers/microsoft.authorization/policydefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .Security CenterAzure Defender for Resource Manager should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3storageaccountsadvanceddatasecuritymonitoringeffect308fbb08-4ab8-4e67-9b29-592e93fb94fa/providers/microsoft.authorization/policydefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94faSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.Security CenterAzure Defender for Storage should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2sqlserversvirtualmachinesadvanceddatasecuritymonitoringeffect6581d072-105e-4418-827f-bd446d56421b/providers/microsoft.authorization/policydefinitions/6581d072-105e-4418-827f-bd446d56421bSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.Security CenterAzure Defender for SQL servers on machines should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3keyvaultsadvanceddatasecuritymonitoringeffect0e6763cc-5078-4e64-889d-ff4d9a839047/providers/microsoft.authorization/policydefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.Security CenterAzure Defender for Key Vault should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3virtualmachinesadvancedthreatprotectionmonitoringeffect4da35fc9-c9e7-4960-aec9-797fe7d9051d/providers/microsoft.authorization/policydefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.Security CenterAzure Defender for servers should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3appservicesadvancedthreatprotectionmonitoringeffect2913021d-f2fd-4f3d-b958-22354e2bdbcb/providers/microsoft.authorization/policydefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcbSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.Security CenterAzure Defender for App Service should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2sqlserversadvanceddatasecuritymonitoringeffect7fe3b40f-802b-4cdd-8bd4-fd799c948cc2/providers/microsoft.authorization/policydefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.Security CenterAzure Defender for Azure SQL Database servers should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0emailnotificationtosubscriptionownerforhighseverityalertsshouldbeenabledmonitoringeffect0b15565f-aa9e-48ba-8619-45960f2c314d/providers/microsoft.authorization/policydefinitions/0b15565f-aa9e-48ba-8619-45960f2c314dazure_security_benchmark_v3.0_ir-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.Security CenterEmail notification to subscription owner for high severity alerts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0microsoftdefendercspmshouldbeenabledmonitoringeffect1f90fc71-a595-4066-8974-d4d0802e8ef0/providers/microsoft.authorization/policydefinitions/1f90fc71-a595-4066-8974-d4d0802e8ef0System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDefender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud.Security CenterMicrosoft Defender CSPM should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1emailnotificationforhighseverityalertsshouldbeenabledmonitoringeffect6e2593d9-add6-4083-9c9b-4b7d2188c899/providers/microsoft.authorization/policydefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899azure_security_benchmark_v3.0_ir-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.Security CenterEmail notification for high severity alerts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1subscriptionsshouldhaveacontactemailaddressforsecurityissuesmonitoringeffect4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7/providers/microsoft.authorization/policydefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7azure_security_benchmark_v3.0_ir-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.Security CenterSubscriptions should have a contact email address for security issues
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderforopensourcerelationaldatabasesshouldbeenabledmonitoringeffect0a9fbe0d-c5c4-4da8-87d8-f4fd77338835/providers/microsoft.authorization/policydefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-centerSecurity CenterAzure Defender for open-source relational databases should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithreadpermissionsmonitoringnewe9ac8f8e-ce22-4355-8f04-99b911d6be52/providers/microsoft.authorization/policydefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with read permissions on Azure resources should be removed
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithreadpermissionsmonitoring5f76cf89-fbf2-47fd-a3f4-b891fa780b60/providers/microsoft.authorization/policydefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with read permissions should be removed from your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithwritepermissionsmonitoring5c607a2e-c700-4744-8254-d77e7c9eb5e4/providers/microsoft.authorization/policydefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with write permissions should be removed from your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithwritepermissionsmonitoringnew94e1c2ac-cbbe-4cac-a2b5-389c812dee87/providers/microsoft.authorization/policydefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with write permissions on Azure resources should be removed
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithownerpermissionsmonitoringnew339353f6-2387-4a45-abe4-7f529d121046/providers/microsoft.authorization/policydefinitions/339353f6-2387-4a45-abe4-7f529d121046System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with owner permissions on Azure resources should be removed
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithownerpermissionsmonitoringf8456c1c-aa66-4dfb-861a-25d127b775c9/providers/microsoft.authorization/policydefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with owner permissions should be removed from your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremovedeprecatedaccountmonitoring6b1cbf55-e8b6-442f-ba4c-7246b6381474/providers/microsoft.authorization/policydefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.Security CenterDeprecated accounts should be removed from your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremovedeprecatedaccountwithownerpermissionsmonitoringebb62a0c-3560-49e1-89ed-27e074e9f8ad/providers/microsoft.authorization/policydefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8adSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.Security CenterDeprecated accounts with owner permissions should be removed from your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityenablemfaforreadpermissionsmonitoringe3576e28-8b17-4677-84c3-db2990658d64/providers/microsoft.authorization/policydefinitions/e3576e28-8b17-4677-84c3-db2990658d64azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.Security CenterMFA should be enabled on accounts with read permissions on your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityenablemfaforreadpermissionsmonitoringe3576e28-8b17-4677-84c3-db2990658d64/providers/microsoft.authorization/policydefinitions/e3576e28-8b17-4677-84c3-db2990658d64azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.Security CenterMFA should be enabled on accounts with read permissions on your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/87d31636-ad85-4caa-802d-1535972b561287d31636-ad85-4caa-802d-1535972b561255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/7fd64851-3279-459b-b614-e2b2ba760f5b7fd64851-3279-459b-b614-e2b2ba760f5b55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/7fd64851-3279-459b-b614-e2b2ba760f5b7fd64851-3279-459b-b614-e2b2ba760f5b55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/94ddc4bc-25f5-4f3e-b527-c587da93cfe494ddc4bc-25f5-4f3e-b527-c587da93cfe455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/94ddc4bc-25f5-4f3e-b527-c587da93cfe494ddc4bc-25f5-4f3e-b527-c587da93cfe455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a16c43ca-2d67-4dcd-9ded-6412f5edc51aa16c43ca-2d67-4dcd-9ded-6412f5edc51a55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a16c43ca-2d67-4dcd-9ded-6412f5edc51aa16c43ca-2d67-4dcd-9ded-6412f5edc51a55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2a48d7796-14b4-4889-afef-fbb65a93e5a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2a48d7796-14b4-4889-afef-fbb65a93e5a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a7b1b19a-0e83-4fe5-935c-faaefbfd18c3a7b1b19a-0e83-4fe5-935c-faaefbfd18c355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a48d7896-14b4-4889-afef-fbb65a96e5a2a48d7896-14b4-4889-afef-fbb65a96e5a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a7b1b19a-0e83-4fe5-935c-faaefbfd18c3a7b1b19a-0e83-4fe5-935c-faaefbfd18c355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/a48d7896-14b4-4889-afef-fbb65a96e5a2a48d7896-14b4-4889-afef-fbb65a96e5a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/b91f4c0b-46e3-47bb-a242-eecfe23b3b5bb91f4c0b-46e3-47bb-a242-eecfe23b3b5b55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/b91f4c0b-46e3-47bb-a242-eecfe23b3b5bb91f4c0b-46e3-47bb-a242-eecfe23b3b5b55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/c4a381a4-0c4b-4e5c-9c4e-a373db9a2d89c4a381a4-0c4b-4e5c-9c4e-a373db9a2d8955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/fd1bb084-1503-4bd2-99c0-630220046786fd1bb084-1503-4bd2-99c0-63022004678655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/e078ab98-ef3a-4c9a-aba7-12f5172b45d0e078ab98-ef3a-4c9a-aba7-12f5172b45d055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/c4a381a4-0c4b-4e5c-9c4e-a373db9a2d89c4a381a4-0c4b-4e5c-9c4e-a373db9a2d8955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforreadpermissionsmonitoringnew81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4/providers/microsoft.authorization/policydefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.Security CenterAccounts with read permissions on Azure resources should be MFA enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/fd1bb084-1503-4bd2-99c0-630220046786fd1bb084-1503-4bd2-99c0-63022004678655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/e078ab98-ef3a-4c9a-aba7-12f5172b45d0e078ab98-ef3a-4c9a-aba7-12f5172b45d055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/ec8ea81d-6c21-48a8-8a22-0087a85c4fc5ec8ea81d-6c21-48a8-8a22-0087a85c4fc555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/7b266cd7-0bba-4ae2-8423-90ede5e1e8987b266cd7-0bba-4ae2-8423-90ede5e1e89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/87d31636-ad85-4caa-802d-1535972b561287d31636-ad85-4caa-802d-1535972b561255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/ec8ea81d-6c21-48a8-8a22-0087a85c4fc5ec8ea81d-6c21-48a8-8a22-0087a85c4fc555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/2ad74d88-8c31-42a1-97fc-0c70e81932bf2ad74d88-8c31-42a1-97fc-0c70e81932bf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/7b266cd7-0bba-4ae2-8423-90ede5e1e8987b266cd7-0bba-4ae2-8423-90ede5e1e89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforwritepermissionsmonitoringeffect931e118d-50a1-4457-a5e4-78550e086c52/providers/microsoft.authorization/policydefinitions/931e118d-50a1-4457-a5e4-78550e086c52azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.Security CenterAccounts with write permissions on Azure resources should be MFA enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1identityenablemfaforwritepermissionsmonitoring9297c21d-2ed6-4474-b48f-163f75654ce3/providers/microsoft.authorization/policydefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.Security CenterMFA should be enabled for accounts with write permissions on your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforownerpermissionsmonitoringnewe3e008c3-56b9-4133-8fd7-d3347377402a/providers/microsoft.authorization/policydefinitions/e3e008c3-56b9-4133-8fd7-d3347377402aazure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.Security CenterAccounts with owner permissions on Azure resources should be MFA enabled
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityenablemfaforownerpermissionsmonitoringaa633080-8b72-40c4-a2d7-d00c03e80bed/providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bedazure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.Security CenterMFA should be enabled on accounts with owner permissions on your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identitydesignatelessthanownersmonitoring4f11b553-d42e-4e3a-89be-32ca364cad4c/providers/microsoft.authorization/policydefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4cazure_security_benchmark_v3.0_pa-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.Security CenterA maximum of 3 owners should be designated for your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/21d96096-b162-414a-8302-d8354f9d91b221d96096-b162-414a-8302-d8354f9d91b255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/260691e6-68c2-47cf-bd4a-97d5fd4dbcd5260691e6-68c2-47cf-bd4a-97d5fd4dbcd555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e667101e7c251-3bed-4242-9d93-a5851b2e667155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identitydesignatemorethanoneownermonitoring09024ccc-0c5f-475e-9457-b7c0d9ed487b/providers/microsoft.authorization/policydefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487bazure_security_benchmark_v3.0_pa-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to designate more than one subscription owner in order to have administrator access redundancy.Security CenterThere should be more than one owner assigned to your subscription
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/260691e6-68c2-47cf-bd4a-97d5fd4dbcd5260691e6-68c2-47cf-bd4a-97d5fd4dbcd555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/21d96096-b162-414a-8302-d8354f9d91b221d96096-b162-414a-8302-d8354f9d91b255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/2ad74d88-8c31-42a1-97fc-0c70e81932bf2ad74d88-8c31-42a1-97fc-0c70e81932bf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/7aff565e-6c55-448d-83db-ccf482c6da2f7aff565e-6c55-448d-83db-ccf482c6da2f55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/2f296bf1-1015-4c42-84b4-530f3d48ba9e2f296bf1-1015-4c42-84b4-530f3d48ba9e55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/7aff565e-6c55-448d-83db-ccf482c6da2f7aff565e-6c55-448d-83db-ccf482c6da2f55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/roledefinitions/2f296bf1-1015-4c42-84b4-530f3d48ba9e2f296bf1-1015-4c42-84b4-530f3d48ba9e55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsawolffsynapseadlsa37e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacctwolffsynadlsacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsawolffsynapseadlsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsawolffsynapseadlsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsawolffsynapseadlsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsawolffsynapseadlsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsawolffsynapseadlsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsawolffsynapseadlsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsawolffsynapseadlsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsawolffsynapseadlsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsawolffsynapseadlsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrgcovidmsreportingrg55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacctwolffsynadlsacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2wolffsynapsesa255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2wolffsynapsesa255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsawolffsynapseadlsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapseadlsawolffsynapseadlsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2wolffsynapsesa255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2wolffsynapsesa255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2wolffsynapsesa255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2wolffsynapsesa255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2wolffsynapsesa255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2wolffsynapsesa255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrgcovidmsreportingrg55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2wolffsynapsesa237e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2wolffsynapsesa255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacctwolffsynadlsacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacctwolffsynadlsacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2wolffsynapsesa255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrgcovidmsreportingrg55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrgcovidmsreportingrg55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrgcovidmsreportingrg55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrgcovidmsreportingrg55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrgcovidmsreportingrg55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrgcovidmsreportingrg55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrgcovidmsreportingrg55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrgcovidmsreportingrg55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrgcovidmsreportingrg37e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacctwolffsynadlsacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacctwolffsynadlsacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacctwolffsynadlsacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacctwolffsynadlsacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacctwolffsynadlsacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacctwolffsynadlsacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacctwolffsynadlsacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynadlsacctwolffsynadlsacct37e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/wolffsynapsesa2wolffsynapsesa255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.storage/storageaccounts/covidmsreportingrgcovidmsreportingrg55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Synapse/workspacestbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.synapse/workspaces/wolffsynapseworkspacewolffsynapseworkspace3.0.09cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97security center1.0.0deploythreatdetectiononsynapseworkspaces951c1558-50a5-4ca3-abb6-a93e3e2367a6/providers/microsoft.authorization/policydefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6tbddeployifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdDataProtectionSecurityCenter/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenterEnable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases.Security CenterConfigure Microsoft Defender for SQL to be enabled on Synapse workspaces
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Synapse/workspacestbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.synapse/workspaces/wolffsynapsenewworkspacewolffsynapsenewworkspace3.0.09cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97security center1.0.0deploythreatdetectiononsynapseworkspaces951c1558-50a5-4ca3-abb6-a93e3e2367a6/providers/microsoft.authorization/policydefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6tbddeployifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdDataProtectionSecurityCenter/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenterEnable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases.Security CenterConfigure Microsoft Defender for SQL to be enabled on Synapse workspaces
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.keyvault/vaults/wolffkeyvaultwolffkeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671adfrgMicrosoft.Synapse/workspacestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/adfrg/providers/microsoft.synapse/workspaces/wolffsynapsewp3wolffsynapsewp33.0.09cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97security center1.0.0deploythreatdetectiononsynapseworkspaces951c1558-50a5-4ca3-abb6-a93e3e2367a6/providers/microsoft.authorization/policydefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6tbddeployifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdDataProtectionSecurityCenter/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenterEnable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases.Security CenterConfigure Microsoft Defender for SQL to be enabled on Synapse workspaces
01e7c251-3bed-4242-9d93-a5851b2e6671anomalydectrgMicrosoft.CognitiveServices/accountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomalydectorwolffanomalydector55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0cognitiveservicesaccountsshouldrestrictnetworkaccessmonitoringeffect037eea7a-bd0a-46c5-9a66-03aea78705d3/providers/microsoft.authorization/policydefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.Cognitive ServicesCognitive Services accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671anomalydectrgMicrosoft.CognitiveServices/accountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomalydectorwolffanomalydector55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1publicnetworkaccessshouldbedisabledforcognitiveservicesaccountsmonitoringeffect0725b4dd-7e76-479c-a735-68e7ee23d5ca/providers/microsoft.authorization/policydefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5caazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.Cognitive ServicesCognitive Services accounts should disable public network access
01e7c251-3bed-4242-9d93-a5851b2e6671anomalydectrgMicrosoft.CognitiveServices/accountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomalywolffanomaly55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0cognitiveservicesaccountsshouldrestrictnetworkaccessmonitoringeffect037eea7a-bd0a-46c5-9a66-03aea78705d3/providers/microsoft.authorization/policydefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.Cognitive ServicesCognitive Services accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671anomalydectrgMicrosoft.CognitiveServices/accountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomalywolffanomaly55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0cognitiveservicesaccountsshouldrestrictnetworkaccessmonitoringeffect037eea7a-bd0a-46c5-9a66-03aea78705d3/providers/microsoft.authorization/policydefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.Cognitive ServicesCognitive Services accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671anomalydectrgMicrosoft.CognitiveServices/accountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomalywolffanomaly55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1publicnetworkaccessshouldbedisabledforcognitiveservicesaccountsmonitoringeffect0725b4dd-7e76-479c-a735-68e7ee23d5ca/providers/microsoft.authorization/policydefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5caazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.Cognitive ServicesCognitive Services accounts should disable public network access
01e7c251-3bed-4242-9d93-a5851b2e6671anomalydectrgMicrosoft.CognitiveServices/accountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomalywolffanomaly55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1publicnetworkaccessshouldbedisabledforcognitiveservicesaccountsmonitoringeffect0725b4dd-7e76-479c-a735-68e7ee23d5ca/providers/microsoft.authorization/policydefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5caazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.Cognitive ServicesCognitive Services accounts should disable public network access
01e7c251-3bed-4242-9d93-a5851b2e6671anomalydectrgMicrosoft.CognitiveServices/accountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomalydectorwolffanomalydector55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1publicnetworkaccessshouldbedisabledforcognitiveservicesaccountsmonitoringeffect0725b4dd-7e76-479c-a735-68e7ee23d5ca/providers/microsoft.authorization/policydefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5caazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.Cognitive ServicesCognitive Services accounts should disable public network access
01e7c251-3bed-4242-9d93-a5851b2e6671anomalydectrgMicrosoft.CognitiveServices/accountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/anomalydectrg/providers/microsoft.cognitiveservices/accounts/wolffanomalydectorwolffanomalydector55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0cognitiveservicesaccountsshouldrestrictnetworkaccessmonitoringeffect037eea7a-bd0a-46c5-9a66-03aea78705d3/providers/microsoft.authorization/policydefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.Cognitive ServicesCognitive Services accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6uduadbstorageup2c3j2q6udua55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.network/virtualnetworks/workers-vnet/subnets/private-subnetprivate-subnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6uduadbstorageup2c3j2q6udua55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.network/virtualnetworks/workers-vnet/subnets/public-subnetpublic-subnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.network/virtualnetworks/workers-vnetworkers-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.network/virtualnetworks/workers-vnetworkers-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6uduadbstorageup2c3j2q6udua37e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6uduadbstorageup2c3j2q6udua55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6uduadbstorageup2c3j2q6udua55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6uduadbstorageup2c3j2q6udua55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6uduadbstorageup2c3j2q6udua55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.network/virtualnetworks/workers-vnetworkers-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6uduadbstorageup2c3j2q6udua55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6uduadbstorageup2c3j2q6udua55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6uduadbstorageup2c3j2q6udua55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6uduadbstorageup2c3j2q6udua55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671databricks-rg-wolffdatabricks-fwcg6zc572rwoMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/databricks-rg-wolffdatabricks-fwcg6zc572rwo/providers/microsoft.storage/storageaccounts/dbstorageup2c3j2q6uduadbstorageup2c3j2q6udua55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486wolffdevtestlab348655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486wolffdevtestlab348655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486wolffdevtestlab348655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486wolffdevtestlab348655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486wolffdevtestlab348655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486wolffdevtestlab348655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486wolffdevtestlab348655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486wolffdevtestlab348655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492awolffdevtestlab849255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486wolffdevtestlab348655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492awolffdevtestlab849255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492awolffdevtestlab849255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492awolffdevtestlab849255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492awolffdevtestlab849255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492awolffdevtestlab849255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492awolffdevtestlab849255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab3486wolffdevtestlab348655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492awolffdevtestlab849255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492awolffdevtestlab849255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492awolffdevtestlab849237e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492awolffdevtestlab849255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.storage/storageaccounts/awolffdevtestlab8492awolffdevtestlab849255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
01e7c251-3bed-4242-9d93-a5851b2e6671devtestrgMicrosoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/devtestrg/providers/microsoft.keyvault/vaults/wolffdevtestlab19fb3279wolffdevtestlab19fb327955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
01e7c251-3bed-4242-9d93-a5851b2e6671IOTRGMicrosoft.Devices/IotHubstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/iotrg/providers/microsoft.devices/iothubs/wolffiothubwolffiothub55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1diagnosticslogsiniothubmonitoring383856f8-de7f-44a2-81fc-e5135b5c2aa4/providers/microsoft.authorization/policydefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedInternet of ThingsResource logs in IoT Hub should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671IOTRGMicrosoft.Devices/IotHubstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/iotrg/providers/microsoft.devices/iothubs/wolffiothubwolffiothub55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1diagnosticslogsiniothubmonitoring383856f8-de7f-44a2-81fc-e5135b5c2aa4/providers/microsoft.authorization/policydefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedInternet of ThingsResource logs in IoT Hub should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671jwacrrgMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwacrrg/providers/microsoft.containerregistry/registries/jwolfftestacrjwolfftestacr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671jwacrrgMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwacrrg/providers/microsoft.containerregistry/registries/jwolfftestacrjwolfftestacr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
01e7c251-3bed-4242-9d93-a5851b2e6671jwacrrgMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwacrrg/providers/microsoft.containerregistry/registries/jwolfftestacrjwolfftestacr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671jwacrrgMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwacrrg/providers/microsoft.containerregistry/registries/jwolfftestacrjwolfftestacr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
01e7c251-3bed-4242-9d93-a5851b2e6671jwacrrgMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwacrrg/providers/microsoft.containerregistry/registries/jwolfftestacrjwolfftestacr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671jwacrrgMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwacrrg/providers/microsoft.containerregistry/registries/jwolfftestacrjwolfftestacr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671jwRedisrgMicrosoft.Cache/RedistbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwredisrg/providers/microsoft.cache/redis/jwredisjwredis55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0diagnosticslogsinrediscachemonitoring22bee202-a82f-4305-9a2a-6d7f44d4dedb/providers/microsoft.authorization/policydefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedbazure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingCacheOnly secure connections to your Azure Cache for Redis should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671jwRedisrgMicrosoft.Cache/RedistbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwredisrg/providers/microsoft.cache/redis/jwredisjwredis55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azurecacheforredisshoulduseprivateendpointmonitoringeffect7803067c-7d34-46e3-8c79-0ca68fc4036d/providers/microsoft.authorization/policydefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036dazure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.CacheAzure Cache for Redis should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671jwRedisrgMicrosoft.Cache/RedistbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwredisrg/providers/microsoft.cache/redis/jwredisjwredis55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azurecacheforredisshoulduseprivateendpointmonitoringeffect7803067c-7d34-46e3-8c79-0ca68fc4036d/providers/microsoft.authorization/policydefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036dazure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.CacheAzure Cache for Redis should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671jwRedisrgMicrosoft.Cache/RedistbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/jwredisrg/providers/microsoft.cache/redis/jwredisjwredis55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0diagnosticslogsinrediscachemonitoring22bee202-a82f-4305-9a2a-6d7f44d4dedb/providers/microsoft.authorization/policydefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedbazure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingCacheOnly secure connections to your Azure Cache for Redis should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus/subnets/databrickssndatabrickssn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus/subnets/azurefirewallmanagementsubnetazurefirewallmanagementsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnetmsuscsavnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus/subnets/azurefirewallsubnetazurefirewallsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnetmsuscsavnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnetmsuscsavnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus/subnets/devtestlabsndevtestlabsn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestusmsusvnetwestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet/subnets/batchsnbatchsn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet/subnets/azurebastionsubnetazurebastionsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet/subnets/avdsnavdsn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestusmsusvnetwestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestus/subnets/cyclecoudsncyclecoudsn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msuscsavnet/subnets/cyclecloudsnslurmlabclustersncyclecloudsnslurmlabclustersn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671MSUSCSAVNETRGMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsabatchshellsa37e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrgMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.network/virtualnetworks/msusvnetwestusmsusvnetwestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671MSUSCSAVNETRGMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsabatchshellsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671MSUSCSAVNETRGMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsabatchshellsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671MSUSCSAVNETRGMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsabatchshellsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671MSUSCSAVNETRGMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsabatchshellsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671MSUSCSAVNETRGMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsabatchshellsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671MSUSCSAVNETRGMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsabatchshellsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671MSUSCSAVNETRGMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsabatchshellsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671MSUSCSAVNETRGMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsabatchshellsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671MSUSCSAVNETRGMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsabatchshellsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671MSUSCSAVNETRGMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsabatchshellsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671MSUSCSAVNETRGMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg/providers/microsoft.storage/storageaccounts/batchshellsabatchshellsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrg-asrMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg-asr/providers/microsoft.network/virtualnetworks/msuscsavnet-asr/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrg-asrMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg-asr/providers/microsoft.network/virtualnetworks/msuscsavnet-asr/subnets/cyclecloudsnslurmlabclustersncyclecloudsnslurmlabclustersn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrg-asrMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg-asr/providers/microsoft.network/virtualnetworks/msuscsavnet-asr/subnets/batchsnbatchsn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrg-asrMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg-asr/providers/microsoft.network/virtualnetworks/msuscsavnet-asrmsuscsavnet-asr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrg-asrMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg-asr/providers/microsoft.network/virtualnetworks/msuscsavnet-asrmsuscsavnet-asr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671msuscsavnetrg-asrMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msuscsavnetrg-asr/providers/microsoft.network/virtualnetworks/msuscsavnet-asrmsuscsavnet-asr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671msusvnetwestrgMicrosoft.Network/virtualNetworkstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwestmsusvnetwest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
01e7c251-3bed-4242-9d93-a5851b2e6671msusvnetwestrgMicrosoft.Network/virtualNetworkstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwestmsusvnetwest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
01e7c251-3bed-4242-9d93-a5851b2e6671msusvnetwestrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwest/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msusvnetwestrgMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwestmsusvnetwest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671msusvnetwestrgMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwestmsusvnetwest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671msusvnetwestrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwest/subnets/synapsedatabrickssnsynapsedatabrickssn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671msusvnetwestrgMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/msusvnetwestrg/providers/microsoft.network/virtualnetworks/msusvnetwestmsusvnetwest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffMicrosoft.Sql/serverstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspacewolffsynapseworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect1b8ca024-1d5c-4dec-8995-b1a932b41780/providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.SQLPublic network access on Azure SQL Database should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffMicrosoft.Sql/serverstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspacewolffsynapseworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0aadauthenticationinsqlservermonitoring1f314764-cb73-4fc9-b863-8eca98ac36e9/providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9azure_security_benchmark_v3.0_im-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft servicesSQLAn Azure Active Directory administrator should be provisioned for SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffMicrosoft.Sql/serverstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspacewolffsynapseworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect7698e800-9299-47a6-b3b6-5a0fee576eed/providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eedazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.SQLPrivate endpoint connections on Azure SQL Database should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffMicrosoft.Sql/serverstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspacewolffsynapseworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0sqldbvulnerabilityassesmentmonitoringfeedbf84-6b99-488c-acc2-71c829aa5ffc/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffcazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.Security CenterSQL databases should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffMicrosoft.Sql/serverstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspacewolffsynapseworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0aadauthenticationinsqlservermonitoring1f314764-cb73-4fc9-b863-8eca98ac36e9/providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9azure_security_benchmark_v3.0_im-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft servicesSQLAn Azure Active Directory administrator should be provisioned for SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffMicrosoft.Sql/serverstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspacewolffsynapseworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect1b8ca024-1d5c-4dec-8995-b1a932b41780/providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.SQLPublic network access on Azure SQL Database should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffMicrosoft.Sql/serverstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspacewolffsynapseworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0sqldbvulnerabilityassesmentmonitoringfeedbf84-6b99-488c-acc2-71c829aa5ffc/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffcazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.Security CenterSQL databases should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffMicrosoft.Sql/serverstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolff/providers/Microsoft.Sql/servers/wolffsynapseworkspacewolffsynapseworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect7698e800-9299-47a6-b3b6-5a0fee576eed/providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eedazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.SQLPrivate endpoint connections on Azure SQL Database should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Automation/automationAccounts/variablestbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/sequencestopsequencestop55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0encryptionofautomationaccountmonitoring3657f5a0-770e-44a3-b44e-9431ba1e9735/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735azure_security_benchmark_v3.0_dp-4tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is important to enable encryption of Automation account variable assets when storing sensitive dataAutomationAutomation account variables should be encrypted
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsawolffautomationsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Automation/automationAccounts/variablestbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/sequencestopsequencestop55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0encryptionofautomationaccountmonitoring3657f5a0-770e-44a3-b44e-9431ba1e9735/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735azure_security_benchmark_v3.0_dp-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is important to enable encryption of Automation account variable assets when storing sensitive dataAutomationAutomation account variables should be encrypted
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Automation/automationAccounts/variablestbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/sequencestartsequencestart55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0encryptionofautomationaccountmonitoring3657f5a0-770e-44a3-b44e-9431ba1e9735/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735azure_security_benchmark_v3.0_dp-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is important to enable encryption of Automation account variable assets when storing sensitive dataAutomationAutomation account variables should be encrypted
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Automation/automationAccounts/variablestbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/sequencestartsequencestart55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0encryptionofautomationaccountmonitoring3657f5a0-770e-44a3-b44e-9431ba1e9735/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735azure_security_benchmark_v3.0_dp-4tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is important to enable encryption of Automation account variable assets when storing sensitive dataAutomationAutomation account variables should be encrypted
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Automation/automationAccounts/variablestbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/actionaction55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0encryptionofautomationaccountmonitoring3657f5a0-770e-44a3-b44e-9431ba1e9735/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735azure_security_benchmark_v3.0_dp-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is important to enable encryption of Automation account variable assets when storing sensitive dataAutomationAutomation account variables should be encrypted
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Automation/automationAccounts/variablestbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/actionaction55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0encryptionofautomationaccountmonitoring3657f5a0-770e-44a3-b44e-9431ba1e9735/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735azure_security_benchmark_v3.0_dp-4tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is important to enable encryption of Automation account variable assets when storing sensitive dataAutomationAutomation account variables should be encrypted
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsawolffautomationsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsdwolffautosaa32nsd37e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsawolffautomationsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsawolffautomationsa37e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsdwolffautosaa32nsd55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsdwolffautosaa32nsd55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsdwolffautosaa32nsd55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsdwolffautosaa32nsd55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsawolffautomationsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsawolffautomationsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsdwolffautosaa32nsd55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsdwolffautosaa32nsd55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsawolffautomationsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsawolffautomationsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsawolffautomationsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsawolffautomationsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsdwolffautosaa32nsd55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsawolffautomationsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Automation/automationAccounts/variablestbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/subscriptionsubscription55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0encryptionofautomationaccountmonitoring3657f5a0-770e-44a3-b44e-9431ba1e9735/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735azure_security_benchmark_v3.0_dp-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is important to enable encryption of Automation account variable assets when storing sensitive dataAutomationAutomation account variables should be encrypted
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsdwolffautosaa32nsd55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0functionapprestrictcorsaccessmonitoring0820b7b9-23aa-4725-a1ce-ae4558f718e5/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5azure_security_benchmark_v3.0_pv-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinCross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.App ServiceFunction apps should not have CORS configured to allow every resource to access your apps
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Automation/automationAccounts/variablestbdFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.automation/automationaccounts/wolffautoacct/variables/subscriptionsubscription55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0encryptionofautomationaccountmonitoring3657f5a0-770e-44a3-b44e-9431ba1e9735/providers/microsoft.authorization/policydefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735azure_security_benchmark_v3.0_dp-4tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is important to enable encryption of Automation account variable assets when storing sensitive dataAutomationAutomation account variables should be encrypted
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0functionappsshouldhaveclientcertificatesenabledmonitoringeffecteaebaea7-8013-4ceb-9d14-7eb32271373c/providers/microsoft.authorization/policydefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373cazure_security_benchmark_v3.0_pv-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineClient certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.App ServiceFunction apps should have 'Client Certificates (Incoming client certificates)' enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0functionappenforcehttpsmonitoring6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab/providers/microsoft.authorization/policydefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbabazure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.App ServiceFunction apps should only be accessible over HTTPS
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0functionappsshouldhaveclientcertificatesenabledmonitoringeffecteaebaea7-8013-4ceb-9d14-7eb32271373c/providers/microsoft.authorization/policydefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373cazure_security_benchmark_v3.0_pv-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinClient certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.App ServiceFunction apps should have 'Client Certificates (Incoming client certificates)' enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0functionappenforcehttpsmonitoring6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab/providers/microsoft.authorization/policydefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbabazure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.App ServiceFunction apps should only be accessible over HTTPS
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautomationsawolffautomationsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsdwolffautosaa32nsd55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0functionappdisableremotedebuggingmonitoring0e60b895-3786-45da-8377-9c6b4b6ac5f9/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9azure_security_benchmark_v3.0_pv-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineRemote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.App ServiceFunction apps should have remote debugging turned off
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0ftpsonlyshouldberequiredinyourfunctionappmonitoringeffect399b2637-a50f-4f95-96f8-3a145476eb15/providers/microsoft.authorization/policydefinitions/399b2637-a50f-4f95-96f8-3a145476eb15azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable FTPS enforcement for enhanced security.App ServiceFunction apps should require FTPS only
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsdwolffautosaa32nsd55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0functionappdisableremotedebuggingmonitoring0e60b895-3786-45da-8377-9c6b4b6ac5f9/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9azure_security_benchmark_v3.0_pv-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRemote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.App ServiceFunction apps should have remote debugging turned off
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0managedidentityshouldbeusedinyourfunctionappmonitoringeffect0da106f2-4ca3-48e8-bc85-c638fe6aea8f/providers/microsoft.authorization/policydefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8fazure_security_benchmark_v3.0_im-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse a managed identity for enhanced authentication securityApp ServiceFunction apps should use managed identity
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1latesttlsversionshouldbeusedinyourfunctionappmonitoringeffectf9d614c5-c173-4d56-95a7-b4437057d193/providers/microsoft.authorization/policydefinitions/f9d614c5-c173-4d56-95a7-b4437057d193System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePeriodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.App ServiceFunction apps should use the latest TLS version
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0functionapprestrictcorsaccessmonitoring0820b7b9-23aa-4725-a1ce-ae4558f718e5/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5azure_security_benchmark_v3.0_pv-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineCross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.App ServiceFunction apps should not have CORS configured to allow every resource to access your apps
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0managedidentityshouldbeusedinyourfunctionappmonitoringeffect0da106f2-4ca3-48e8-bc85-c638fe6aea8f/providers/microsoft.authorization/policydefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8fazure_security_benchmark_v3.0_im-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse a managed identity for enhanced authentication securityApp ServiceFunction apps should use managed identity
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.storage/storageaccounts/wolffautosaa32nsdwolffautosaa32nsd55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffautorgMicrosoft.Web/sitestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffautorg/providers/microsoft.web/sites/wolffautofuncappa32nsdegjr53ywolffautofuncappa32nsdegjr53y55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1latesttlsversionshouldbeusedinyourfunctionappmonitoringeffectf9d614c5-c173-4d56-95a7-b4437057d193/providers/microsoft.authorization/policydefinitions/f9d614c5-c173-4d56-95a7-b4437057d193System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPeriodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.App ServiceFunction apps should use the latest TLS version
01e7c251-3bed-4242-9d93-a5851b2e6671wolffbillingrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsawolffbillingsa37e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671wolffbillingrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsawolffbillingsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffbillingrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsawolffbillingsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671wolffbillingrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsawolffbillingsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671wolffbillingrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsawolffbillingsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffbillingrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsawolffbillingsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffbillingrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsawolffbillingsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671wolffbillingrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsawolffbillingsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671wolffbillingrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsawolffbillingsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671wolffbillingrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsawolffbillingsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffbillingrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsawolffbillingsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671wolffbillingrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffbillingrg/providers/microsoft.storage/storageaccounts/wolffbillingsawolffbillingsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegionNonProdtbd926b3266e40c4140b798c8a2/providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlab/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegionNonProdtbd926b3266e40c4140b798c8a2/providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSRegionNonProdtbd926b3266e40c4140b798c8a2/providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSRegionNonProdtbd926b3266e40c4140b798c8a2/providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSRegionNonProdtbd926b3266e40c4140b798c8a2/providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSRegionNonProdtbd926b3266e40c4140b798c8a2/providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtstlab2wolffdevtstlab255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffdevtestlab949167712000Microsoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffdevtestlab949167712000/providers/microsoft.compute/virtualmachines/wolffdevtestlabwolffdevtestlab55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolfffilesrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessawolfffilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolfffilesrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessawolfffilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolfffilesrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessawolfffilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671wolfffilesrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessawolfffilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671wolfffilesrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessawolfffilessa37e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671wolfffilesrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessawolfffilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671wolfffilesrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessawolfffilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolfffilesrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessawolfffilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671wolfffilesrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessawolfffilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolfffilesrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessawolfffilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671wolfffilesrgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessawolfffilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671wolfffilesrgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolfffilesrg/providers/microsoft.storage/storageaccounts/wolfffilessawolfffilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671wolffhpcperfrgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsagbbnfstestsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671wolffhpcperfrgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsagbbnfstestsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671wolffhpcperfrgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsagbbnfstestsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671wolffhpcperfrgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsagbbnfstestsa37e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671wolffhpcperfrgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsagbbnfstestsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671wolffhpcperfrgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsagbbnfstestsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671wolffhpcperfrgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsagbbnfstestsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffhpcperfrgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsagbbnfstestsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffhpcperfrgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsagbbnfstestsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffhpcperfrgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsagbbnfstestsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671wolffhpcperfrgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsagbbnfstestsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffhpcperfrgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffhpcperfrg/providers/microsoft.storage/storageaccounts/gbbnfstestsagbbnfstestsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgMicrosoft.Sql/serverstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3wolffsynapsewp355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect7698e800-9299-47a6-b3b6-5a0fee576eed/providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eedazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.SQLPrivate endpoint connections on Azure SQL Database should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgMicrosoft.Sql/serverstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3wolffsynapsewp355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect1b8ca024-1d5c-4dec-8995-b1a932b41780/providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.SQLPublic network access on Azure SQL Database should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgMicrosoft.Sql/serverstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3wolffsynapsewp355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect1b8ca024-1d5c-4dec-8995-b1a932b41780/providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.SQLPublic network access on Azure SQL Database should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgMicrosoft.Sql/serverstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3wolffsynapsewp355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0sqldbvulnerabilityassesmentmonitoringfeedbf84-6b99-488c-acc2-71c829aa5ffc/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffcazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.Security CenterSQL databases should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgMicrosoft.Sql/serverstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3wolffsynapsewp355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0sqldbvulnerabilityassesmentmonitoringfeedbf84-6b99-488c-acc2-71c829aa5ffc/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffcazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.Security CenterSQL databases should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgMicrosoft.Sql/serverstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3wolffsynapsewp355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0aadauthenticationinsqlservermonitoring1f314764-cb73-4fc9-b863-8eca98ac36e9/providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9azure_security_benchmark_v3.0_im-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft servicesSQLAn Azure Active Directory administrator should be provisioned for SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgMicrosoft.Sql/serverstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3wolffsynapsewp355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0aadauthenticationinsqlservermonitoring1f314764-cb73-4fc9-b863-8eca98ac36e9/providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9azure_security_benchmark_v3.0_im-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft servicesSQLAn Azure Active Directory administrator should be provisioned for SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgMicrosoft.Sql/serverstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmg/providers/Microsoft.Sql/servers/wolffsynapsewp3wolffsynapsewp355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect7698e800-9299-47a6-b3b6-5a0fee576eed/providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eedazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.SQLPrivate endpoint connections on Azure SQL Database should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgmtwest3rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmgmtwest3rg/providers/microsoft.network/virtualnetworks/wolffwest3vnet/subnets/sqlsnsqlsn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgmtwest3rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmgmtwest3rg/providers/microsoft.network/virtualnetworks/wolffwest3vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgmtwest3rgMicrosoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmgmtwest3rg/providers/microsoft.network/virtualnetworks/wolffwest3vnetwolffwest3vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgmtwest3rgMicrosoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmgmtwest3rg/providers/microsoft.network/virtualnetworks/wolffwest3vnetwolffwest3vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffmgmtwest3rgMicrosoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffmgmtwest3rg/providers/microsoft.network/virtualnetworks/wolffwest3vnetwolffwest3vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSRegionNonProdtbd926b3266e40c4140b798c8a2/providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegionNonProdtbd926b3266e40c4140b798c8a2/providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.ServiceBus/namespacestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.servicebus/namespaces/wolffsbnamespace140373wolffsbnamespace14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinservicebusmonitoringf8d36e2f-389b-4ee4-898d-21aeb69a0f45/providers/microsoft.authorization/policydefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedService BusResource logs in Service Bus should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373wolffsa14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373wolffsa14037337e71fce-000a-453e-bb64-6e06cb2af34e/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policydefinitions/37e71fce-000a-453e-bb64-6e06cb2af34etbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbd50b6c395621b4c99a8693ae9/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/50b6c395621b4c99a8693ae9alert to enable metrics to storage account blob sizesAlertsCustom policy for alerts on blob storage
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373wolffsa14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373wolffsa14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373wolffsa14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373wolffsa14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373wolffsa14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373wolffsa14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373wolffsa14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.ServiceBus/namespacestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.servicebus/namespaces/wolffsbnamespace140373wolffsbnamespace14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinservicebusmonitoringf8d36e2f-389b-4ee4-898d-21aeb69a0f45/providers/microsoft.authorization/policydefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedService BusResource logs in Service Bus should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373wolffsa14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373wolffsa14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Devices/IotHubstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.devices/iothubs/wolfftesthub140373wolfftesthub14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1diagnosticslogsiniothubmonitoring383856f8-de7f-44a2-81fc-e5135b5c2aa4/providers/microsoft.authorization/policydefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedInternet of ThingsResource logs in IoT Hub should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Devices/IotHubstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.devices/iothubs/wolfftesthub140373wolfftesthub14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1diagnosticslogsiniothubmonitoring383856f8-de7f-44a2-81fc-e5135b5c2aa4/providers/microsoft.authorization/policydefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedInternet of ThingsResource logs in IoT Hub should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffresourcesMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
01e7c251-3bed-4242-9d93-a5851b2e6671wolffresourcesMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlog/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.storage/storageaccounts/wolffsa140373wolffsa14037355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegionNonProdtbd926b3266e40c4140b798c8a2/providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSRegionNonProdtbd926b3266e40c4140b798c8a2/providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSRegionNonProdtbd926b3266e40c4140b798c8a2/providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffresourcesMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
01e7c251-3bed-4242-9d93-a5851b2e6671wolffresourcesMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintest/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671WOLFFRESOURCESMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffwin11testlogwolffwin11testlog1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSRegionNonProdtbd926b3266e40c4140b798c8a2/providers/microsoft.management/managementgroups/mcapsregionnonprod/providers/microsoft.authorization/policyassignments/926b3266e40c4140b798c8a2This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffResourcesMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffresources/providers/microsoft.compute/virtualmachines/wolffaadlogintestwolffaadlogintest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0sqlserverauditingmonitoringa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9/providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAuditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.SQLAuditing on SQL server should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/servers/databasestbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr/databases/wolffwest3dbwolffwest3db55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0sqldbencryptionmonitoring17k78e20-9358-41c9-923c-fb736d382a12/providers/microsoft.authorization/policydefinitions/17k78e20-9358-41c9-923c-fb736d382a12azure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineTransparent data encryption should be enabled to protect data-at-rest and meet compliance requirementsSQLTransparent Data Encryption on SQL databases should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/servers/databasestbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvr/databases/wolffwest3dbwolffwest3db55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0sqldbencryptionmonitoring17k78e20-9358-41c9-923c-fb736d382a12/providers/microsoft.authorization/policydefinitions/17k78e20-9358-41c9-923c-fb736d382a12azure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTransparent data encryption should be enabled to protect data-at-rest and meet compliance requirementsSQLTransparent Data Encryption on SQL databases should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0sqlserversshouldbeconfiguredwithauditingretentiondaysgreaterthan90daysmonitoringeffect89099bee-89e0-4b26-a5f4-165451757743/providers/microsoft.authorization/policydefinitions/89099bee-89e0-4b26-a5f4-165451757743azure_security_benchmark_v3.0_lt-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinFor incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.SQLSQL servers with auditing to storage account destination should be configured with 90 days retention or higher
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0sqlserversshouldbeconfiguredwithauditingretentiondaysgreaterthan90daysmonitoringeffect89099bee-89e0-4b26-a5f4-165451757743/providers/microsoft.authorization/policydefinitions/89099bee-89e0-4b26-a5f4-165451757743azure_security_benchmark_v3.0_lt-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineFor incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.SQLSQL servers with auditing to storage account destination should be configured with 90 days retention or higher
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0aadauthenticationinsqlservermonitoring1f314764-cb73-4fc9-b863-8eca98ac36e9/providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9azure_security_benchmark_v3.0_im-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft servicesSQLAn Azure Active Directory administrator should be provisioned for SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr3.0.09cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97security center2.1.0deploythreatdetectiononsqlservers36d49e87-48c4-4f2e-beed-ba4ed02b71f5/providers/microsoft.authorization/policydefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5tbddeployifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdDataProtectionSecurityCenter/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenterEnable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.SQLConfigure Azure Defender to be enabled on SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vulnerabilityassessmentonservermonitoringef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9/providers/microsoft.authorization/policydefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.SQLVulnerability assessment should be enabled on your SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0sqldbvulnerabilityassesmentmonitoringfeedbf84-6b99-488c-acc2-71c829aa5ffc/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffcazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.Security CenterSQL databases should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect7698e800-9299-47a6-b3b6-5a0fee576eed/providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eedazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.SQLPrivate endpoint connections on Azure SQL Database should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect1b8ca024-1d5c-4dec-8995-b1a932b41780/providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.SQLPublic network access on Azure SQL Database should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect7698e800-9299-47a6-b3b6-5a0fee576eed/providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eedazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.SQLPrivate endpoint connections on Azure SQL Database should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect1b8ca024-1d5c-4dec-8995-b1a932b41780/providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.SQLPublic network access on Azure SQL Database should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0sqlserverauditingmonitoringa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9/providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAuditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.SQLAuditing on SQL server should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1sqlserveradvanceddatasecuritymonitoringabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit SQL servers without Advanced Data SecuritySQLAzure Defender for SQL should be enabled for unprotected Azure SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1sqlserveradvanceddatasecuritymonitoringabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9System.Object[]tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit SQL servers without Advanced Data SecuritySQLAzure Defender for SQL should be enabled for unprotected Azure SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vulnerabilityassessmentonservermonitoringef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9/providers/microsoft.authorization/policydefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.SQLVulnerability assessment should be enabled on your SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3FalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0sqldbvulnerabilityassesmentmonitoringfeedbf84-6b99-488c-acc2-71c829aa5ffc/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffcazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.Security CenterSQL databases should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsqlwest3rgMicrosoft.Sql/serverstbdwestus3TrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsqlwest3rg/providers/Microsoft.Sql/servers/wolffwest3sqlsvrwolffwest3sqlsvr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0aadauthenticationinsqlservermonitoring1f314764-cb73-4fc9-b863-8eca98ac36e9/providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9azure_security_benchmark_v3.0_im-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft servicesSQLAn Azure Active Directory administrator should be provisioned for SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsynapseMGMicrosoft.Sql/serverstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspacewolffsynapsenewworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0aadauthenticationinsqlservermonitoring1f314764-cb73-4fc9-b863-8eca98ac36e9/providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9azure_security_benchmark_v3.0_im-1tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft servicesSQLAn Azure Active Directory administrator should be provisioned for SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsynapseMGMicrosoft.Sql/serverstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspacewolffsynapsenewworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0aadauthenticationinsqlservermonitoring1f314764-cb73-4fc9-b863-8eca98ac36e9/providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9azure_security_benchmark_v3.0_im-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft servicesSQLAn Azure Active Directory administrator should be provisioned for SQL servers
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsynapseMGMicrosoft.Sql/serverstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspacewolffsynapsenewworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect1b8ca024-1d5c-4dec-8995-b1a932b41780/providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.SQLPublic network access on Azure SQL Database should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsynapseMGMicrosoft.Sql/serverstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspacewolffsynapsenewworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect7698e800-9299-47a6-b3b6-5a0fee576eed/providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eedazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.SQLPrivate endpoint connections on Azure SQL Database should be enabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsynapseMGMicrosoft.Sql/serverstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspacewolffsynapsenewworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect1b8ca024-1d5c-4dec-8995-b1a932b41780/providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.SQLPublic network access on Azure SQL Database should be disabled
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsynapseMGMicrosoft.Sql/serverstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspacewolffsynapsenewworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0sqldbvulnerabilityassesmentmonitoringfeedbf84-6b99-488c-acc2-71c829aa5ffc/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffcazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.Security CenterSQL databases should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsynapseMGMicrosoft.Sql/serverstbdeastusFalseNonCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspacewolffsynapsenewworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0sqldbvulnerabilityassesmentmonitoringfeedbf84-6b99-488c-acc2-71c829aa5ffc/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffcazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSRegiontbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapsregion/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.Security CenterSQL databases should have vulnerability findings resolved
01e7c251-3bed-4242-9d93-a5851b2e6671wolffsynapseMGMicrosoft.Sql/serverstbdeastusTrueCompliant/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/resourcegroups/wolffsynapsemg/providers/Microsoft.Sql/servers/wolffsynapsenewworkspacewolffsynapsenewworkspace55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect7698e800-9299-47a6-b3b6-5a0fee576eed/providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eedazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671tbdSecurityCenterBuiltIn/subscriptions/01e7c251-3bed-4242-9d93-a5851b2e6671/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.SQLPrivate endpoint connections on Azure SQL Database should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderforresourcemanagershouldbeenabledmonitoringeffectc3d20c29-b36d-48fe-808b-99a87530ad99/providers/microsoft.authorization/policydefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .Security CenterAzure Defender for Resource Manager should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1emailnotificationforhighseverityalertsshouldbeenabledmonitoringeffect6e2593d9-add6-4083-9c9b-4b7d2188c899/providers/microsoft.authorization/policydefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899azure_security_benchmark_v3.0_ir-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.Security CenterEmail notification for high severity alerts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3storageaccountsadvanceddatasecuritymonitoringeffect308fbb08-4ab8-4e67-9b29-592e93fb94fa/providers/microsoft.authorization/policydefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94faSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.Security CenterAzure Defender for Storage should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1autoprovisioningoftheloganalyticsagentshouldbeenabledonyoursubscriptionmonitoringeffect475aae12-b88a-4572-8b36-9b712b2b3a17/providers/microsoft.authorization/policydefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.Security CenterAuto provisioning of the Log Analytics agent should be enabled on your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3virtualmachinesadvancedthreatprotectionmonitoringeffect4da35fc9-c9e7-4960-aec9-797fe7d9051d/providers/microsoft.authorization/policydefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.Security CenterAzure Defender for servers should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0emailnotificationtosubscriptionownerforhighseverityalertsshouldbeenabledmonitoringeffect0b15565f-aa9e-48ba-8619-45960f2c314d/providers/microsoft.authorization/policydefinitions/0b15565f-aa9e-48ba-8619-45960f2c314dazure_security_benchmark_v3.0_ir-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.Security CenterEmail notification to subscription owner for high severity alerts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3appservicesadvancedthreatprotectionmonitoringeffect2913021d-f2fd-4f3d-b958-22354e2bdbcb/providers/microsoft.authorization/policydefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcbSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.Security CenterAzure Defender for App Service should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2sqlserversvirtualmachinesadvanceddatasecuritymonitoringeffect6581d072-105e-4418-827f-bd446d56421b/providers/microsoft.authorization/policydefinitions/6581d072-105e-4418-827f-bd446d56421bSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.Security CenterAzure Defender for SQL servers on machines should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0containersadvancedthreatprotectionmonitoringeffect1c988dd6-ade4-430f-a608-2a3e5b0a6d38/providers/microsoft.authorization/policydefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMicrosoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.Security CenterMicrosoft Defender for Containers should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3keyvaultsadvanceddatasecuritymonitoringeffect0e6763cc-5078-4e64-889d-ff4d9a839047/providers/microsoft.authorization/policydefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.Security CenterAzure Defender for Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithownerpermissionsmonitoringf8456c1c-aa66-4dfb-861a-25d127b775c9/providers/microsoft.authorization/policydefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with owner permissions should be removed from your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0microsoftdefendercspmshouldbeenabledmonitoringeffect1f90fc71-a595-4066-8974-d4d0802e8ef0/providers/microsoft.authorization/policydefinitions/1f90fc71-a595-4066-8974-d4d0802e8ef0System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDefender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud.Security CenterMicrosoft Defender CSPM should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithreadpermissionsmonitoring5f76cf89-fbf2-47fd-a3f4-b891fa780b60/providers/microsoft.authorization/policydefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with read permissions should be removed from your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithreadpermissionsmonitoringnewe9ac8f8e-ce22-4355-8f04-99b911d6be52/providers/microsoft.authorization/policydefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with read permissions on Azure resources should be removed
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithwritepermissionsmonitoringnew94e1c2ac-cbbe-4cac-a2b5-389c812dee87/providers/microsoft.authorization/policydefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with write permissions on Azure resources should be removed
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithwritepermissionsmonitoring5c607a2e-c700-4744-8254-d77e7c9eb5e4/providers/microsoft.authorization/policydefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with write permissions should be removed from your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithownerpermissionsmonitoringnew339353f6-2387-4a45-abe4-7f529d121046/providers/microsoft.authorization/policydefinitions/339353f6-2387-4a45-abe4-7f529d121046System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with owner permissions on Azure resources should be removed
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremovedeprecatedaccountmonitoringnew8d7e1fde-fe26-4b5f-8108-f8e432cbc2be/providers/microsoft.authorization/policydefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2beazure_security_benchmark_v3.0_pa-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.Security CenterBlocked accounts with read and write permissions on Azure resources should be removed
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0microsoftdefendercspmshouldbeenabledmonitoringeffect1f90fc71-a595-4066-8974-d4d0802e8ef0/providers/microsoft.authorization/policydefinitions/1f90fc71-a595-4066-8974-d4d0802e8ef0System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDefender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud.Security CenterMicrosoft Defender CSPM should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremovedeprecatedaccountwithownerpermissionsmonitoringnew0cfea604-3201-4e14-88fc-fae4c427a6c5/providers/microsoft.authorization/policydefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.Security CenterBlocked accounts with owner permissions on Azure resources should be removed
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremovedeprecatedaccountmonitoring6b1cbf55-e8b6-442f-ba4c-7246b6381474/providers/microsoft.authorization/policydefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.Security CenterDeprecated accounts should be removed from your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderfordnsshouldbeenabledmonitoringeffectbdc59948-5574-49b3-bb91-76b7c986428d/providers/microsoft.authorization/policydefinitions/bdc59948-5574-49b3-bb91-76b7c986428dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .Security CenterAzure Defender for DNS should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderfordnsshouldbeenabledmonitoringeffectbdc59948-5574-49b3-bb91-76b7c986428d/providers/microsoft.authorization/policydefinitions/bdc59948-5574-49b3-bb91-76b7c986428dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .Security CenterAzure Defender for DNS should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/8dbd36c6-8339-4e7f-a9c7-dd2d6fb5b4af8dbd36c6-8339-4e7f-a9c7-dd2d6fb5b4af55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0emailnotificationtosubscriptionownerforhighseverityalertsshouldbeenabledmonitoringeffect0b15565f-aa9e-48ba-8619-45960f2c314d/providers/microsoft.authorization/policydefinitions/0b15565f-aa9e-48ba-8619-45960f2c314dazure_security_benchmark_v3.0_ir-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.Security CenterEmail notification to subscription owner for high severity alerts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/260691e6-68c2-47cf-bd4a-97d5fd4dbcd5260691e6-68c2-47cf-bd4a-97d5fd4dbcd555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/260691e6-68c2-47cf-bd4a-97d5fd4dbcd5260691e6-68c2-47cf-bd4a-97d5fd4dbcd555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/3aec7956-05e7-4818-bcd4-7e8496af82553aec7956-05e7-4818-bcd4-7e8496af825555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/3aec7956-05e7-4818-bcd4-7e8496af82553aec7956-05e7-4818-bcd4-7e8496af825555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/7aff565e-6c55-448d-83db-ccf482c6da2f7aff565e-6c55-448d-83db-ccf482c6da2f55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/7aff565e-6c55-448d-83db-ccf482c6da2f7aff565e-6c55-448d-83db-ccf482c6da2f55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/69724c51-5cfa-40c8-a937-6ffe37c7d6b969724c51-5cfa-40c8-a937-6ffe37c7d6b955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/69724c51-5cfa-40c8-a937-6ffe37c7d6b969724c51-5cfa-40c8-a937-6ffe37c7d6b955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/7fd64851-3279-459b-b614-e2b2ba760f5b7fd64851-3279-459b-b614-e2b2ba760f5b55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/7fd64851-3279-459b-b614-e2b2ba760f5b7fd64851-3279-459b-b614-e2b2ba760f5b55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderforopensourcerelationaldatabasesshouldbeenabledmonitoringeffect0a9fbe0d-c5c4-4da8-87d8-f4fd77338835/providers/microsoft.authorization/policydefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-centerSecurity CenterAzure Defender for open-source relational databases should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/b91f4c0b-46e3-47bb-a242-eecfe23b3b5bb91f4c0b-46e3-47bb-a242-eecfe23b3b5b55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/7b266cd7-0bba-4ae2-8423-90ede5e1e8987b266cd7-0bba-4ae2-8423-90ede5e1e89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/87d31636-ad85-4caa-802d-1535972b561287d31636-ad85-4caa-802d-1535972b561255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/87d31636-ad85-4caa-802d-1535972b561287d31636-ad85-4caa-802d-1535972b561255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforreadpermissionsmonitoringnew81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4/providers/microsoft.authorization/policydefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.Security CenterAccounts with read permissions on Azure resources should be MFA enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/8dbd36c6-8339-4e7f-a9c7-dd2d6fb5b4af8dbd36c6-8339-4e7f-a9c7-dd2d6fb5b4af55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2sqlserversadvanceddatasecuritymonitoringeffect7fe3b40f-802b-4cdd-8bd4-fd799c948cc2/providers/microsoft.authorization/policydefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.Security CenterAzure Defender for Azure SQL Database servers should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1emailnotificationforhighseverityalertsshouldbeenabledmonitoringeffect6e2593d9-add6-4083-9c9b-4b7d2188c899/providers/microsoft.authorization/policydefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899azure_security_benchmark_v3.0_ir-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.Security CenterEmail notification for high severity alerts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1subscriptionsshouldhaveacontactemailaddressforsecurityissuesmonitoringeffect4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7/providers/microsoft.authorization/policydefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7azure_security_benchmark_v3.0_ir-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.Security CenterSubscriptions should have a contact email address for security issues
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/7b266cd7-0bba-4ae2-8423-90ede5e1e8987b266cd7-0bba-4ae2-8423-90ede5e1e89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremovedeprecatedaccountwithownerpermissionsmonitoringebb62a0c-3560-49e1-89ed-27e074e9f8ad/providers/microsoft.authorization/policydefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8adSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.Security CenterDeprecated accounts with owner permissions should be removed from your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identitydesignatelessthanownersmonitoring4f11b553-d42e-4e3a-89be-32ca364cad4c/providers/microsoft.authorization/policydefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4cazure_security_benchmark_v3.0_pa-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.Security CenterA maximum of 3 owners should be designated for your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforwritepermissionsmonitoringeffect931e118d-50a1-4457-a5e4-78550e086c52/providers/microsoft.authorization/policydefinitions/931e118d-50a1-4457-a5e4-78550e086c52azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.Security CenterAccounts with write permissions on Azure resources should be MFA enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforwritepermissionsmonitoringeffect931e118d-50a1-4457-a5e4-78550e086c52/providers/microsoft.authorization/policydefinitions/931e118d-50a1-4457-a5e4-78550e086c52azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.Security CenterAccounts with write permissions on Azure resources should be MFA enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityenablemfaforreadpermissionsmonitoringe3576e28-8b17-4677-84c3-db2990658d64/providers/microsoft.authorization/policydefinitions/e3576e28-8b17-4677-84c3-db2990658d64azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.Security CenterMFA should be enabled on accounts with read permissions on your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1identityenablemfaforwritepermissionsmonitoring9297c21d-2ed6-4474-b48f-163f75654ce3/providers/microsoft.authorization/policydefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.Security CenterMFA should be enabled for accounts with write permissions on your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforownerpermissionsmonitoringnewe3e008c3-56b9-4133-8fd7-d3347377402a/providers/microsoft.authorization/policydefinitions/e3e008c3-56b9-4133-8fd7-d3347377402aazure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.Security CenterAccounts with owner permissions on Azure resources should be MFA enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityenablemfaforownerpermissionsmonitoringaa633080-8b72-40c4-a2d7-d00c03e80bed/providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bedazure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.Security CenterMFA should be enabled on accounts with owner permissions on your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identitydesignatemorethanoneownermonitoring09024ccc-0c5f-475e-9457-b7c0d9ed487b/providers/microsoft.authorization/policydefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487bazure_security_benchmark_v3.0_pa-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to designate more than one subscription owner in order to have administrator access redundancy.Security CenterThere should be more than one owner assigned to your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identitydesignatelessthanownersmonitoring4f11b553-d42e-4e3a-89be-32ca364cad4c/providers/microsoft.authorization/policydefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4cazure_security_benchmark_v3.0_pa-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.Security CenterA maximum of 3 owners should be designated for your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a16c43ca-2d67-4dcd-9ded-6412f5edc51aa16c43ca-2d67-4dcd-9ded-6412f5edc51a55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a16c43ca-2d67-4dcd-9ded-6412f5edc51aa16c43ca-2d67-4dcd-9ded-6412f5edc51a55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2a48d7796-14b4-4889-afef-fbb65a93e5a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2a48d7796-14b4-4889-afef-fbb65a93e5a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/94ddc4bc-25f5-4f3e-b527-c587da93cfe494ddc4bc-25f5-4f3e-b527-c587da93cfe455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/94ddc4bc-25f5-4f3e-b527-c587da93cfe494ddc4bc-25f5-4f3e-b527-c587da93cfe455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a48d7896-14b4-4889-afef-fbb65a96e5a2a48d7896-14b4-4889-afef-fbb65a96e5a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a48d7896-14b4-4889-afef-fbb65a96e5a2a48d7896-14b4-4889-afef-fbb65a96e5a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a7b1b19a-0e83-4fe5-935c-faaefbfd18c3a7b1b19a-0e83-4fe5-935c-faaefbfd18c355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/a7b1b19a-0e83-4fe5-935c-faaefbfd18c3a7b1b19a-0e83-4fe5-935c-faaefbfd18c355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/e078ab98-ef3a-4c9a-aba7-12f5172b45d0e078ab98-ef3a-4c9a-aba7-12f5172b45d055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/b91f4c0b-46e3-47bb-a242-eecfe23b3b5bb91f4c0b-46e3-47bb-a242-eecfe23b3b5b55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/e078ab98-ef3a-4c9a-aba7-12f5172b45d0e078ab98-ef3a-4c9a-aba7-12f5172b45d055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/21d96096-b162-414a-8302-d8354f9d91b221d96096-b162-414a-8302-d8354f9d91b255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremovedeprecatedaccountwithownerpermissionsmonitoringebb62a0c-3560-49e1-89ed-27e074e9f8ad/providers/microsoft.authorization/policydefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8adSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.Security CenterDeprecated accounts with owner permissions should be removed from your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforreadpermissionsmonitoringnew81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4/providers/microsoft.authorization/policydefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.Security CenterAccounts with read permissions on Azure resources should be MFA enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremovedeprecatedaccountmonitoring6b1cbf55-e8b6-442f-ba4c-7246b6381474/providers/microsoft.authorization/policydefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.Security CenterDeprecated accounts should be removed from your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremovedeprecatedaccountwithownerpermissionsmonitoringnew0cfea604-3201-4e14-88fc-fae4c427a6c5/providers/microsoft.authorization/policydefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.Security CenterBlocked accounts with owner permissions on Azure resources should be removed
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1subscriptionsshouldhaveacontactemailaddressforsecurityissuesmonitoringeffect4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7/providers/microsoft.authorization/policydefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7azure_security_benchmark_v3.0_ir-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.Security CenterSubscriptions should have a contact email address for security issues
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1identityenablemfaforwritepermissionsmonitoring9297c21d-2ed6-4474-b48f-163f75654ce3/providers/microsoft.authorization/policydefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.Security CenterMFA should be enabled for accounts with write permissions on your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderforresourcemanagershouldbeenabledmonitoringeffectc3d20c29-b36d-48fe-808b-99a87530ad99/providers/microsoft.authorization/policydefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .Security CenterAzure Defender for Resource Manager should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforownerpermissionsmonitoringnewe3e008c3-56b9-4133-8fd7-d3347377402a/providers/microsoft.authorization/policydefinitions/e3e008c3-56b9-4133-8fd7-d3347377402aazure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.Security CenterAccounts with owner permissions on Azure resources should be MFA enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityenablemfaforownerpermissionsmonitoringaa633080-8b72-40c4-a2d7-d00c03e80bed/providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bedazure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.Security CenterMFA should be enabled on accounts with owner permissions on your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identitydesignatemorethanoneownermonitoring09024ccc-0c5f-475e-9457-b7c0d9ed487b/providers/microsoft.authorization/policydefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487bazure_security_benchmark_v3.0_pa-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to designate more than one subscription owner in order to have administrator access redundancy.Security CenterThere should be more than one owner assigned to your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderforopensourcerelationaldatabasesshouldbeenabledmonitoringeffect0a9fbe0d-c5c4-4da8-87d8-f4fd77338835/providers/microsoft.authorization/policydefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-centerSecurity CenterAzure Defender for open-source relational databases should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1autoprovisioningoftheloganalyticsagentshouldbeenabledonyoursubscriptionmonitoringeffect475aae12-b88a-4572-8b36-9b712b2b3a17/providers/microsoft.authorization/policydefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.Security CenterAuto provisioning of the Log Analytics agent should be enabled on your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3virtualmachinesadvancedthreatprotectionmonitoringeffect4da35fc9-c9e7-4960-aec9-797fe7d9051d/providers/microsoft.authorization/policydefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.Security CenterAzure Defender for servers should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0containersadvancedthreatprotectionmonitoringeffect1c988dd6-ade4-430f-a608-2a3e5b0a6d38/providers/microsoft.authorization/policydefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMicrosoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.Security CenterMicrosoft Defender for Containers should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityenablemfaforreadpermissionsmonitoringe3576e28-8b17-4677-84c3-db2990658d64/providers/microsoft.authorization/policydefinitions/e3576e28-8b17-4677-84c3-db2990658d64azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.Security CenterMFA should be enabled on accounts with read permissions on your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3appservicesadvancedthreatprotectionmonitoringeffect2913021d-f2fd-4f3d-b958-22354e2bdbcb/providers/microsoft.authorization/policydefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcbSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.Security CenterAzure Defender for App Service should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3storageaccountsadvanceddatasecuritymonitoringeffect308fbb08-4ab8-4e67-9b29-592e93fb94fa/providers/microsoft.authorization/policydefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94faSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.Security CenterAzure Defender for Storage should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3keyvaultsadvanceddatasecuritymonitoringeffect0e6763cc-5078-4e64-889d-ff4d9a839047/providers/microsoft.authorization/policydefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.Security CenterAzure Defender for Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2sqlserversadvanceddatasecuritymonitoringeffect7fe3b40f-802b-4cdd-8bd4-fd799c948cc2/providers/microsoft.authorization/policydefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.Security CenterAzure Defender for Azure SQL Database servers should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithreadpermissionsmonitoringnewe9ac8f8e-ce22-4355-8f04-99b911d6be52/providers/microsoft.authorization/policydefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with read permissions on Azure resources should be removed
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithreadpermissionsmonitoring5f76cf89-fbf2-47fd-a3f4-b891fa780b60/providers/microsoft.authorization/policydefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with read permissions should be removed from your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithwritepermissionsmonitoringnew94e1c2ac-cbbe-4cac-a2b5-389c812dee87/providers/microsoft.authorization/policydefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with write permissions on Azure resources should be removed
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithwritepermissionsmonitoring5c607a2e-c700-4744-8254-d77e7c9eb5e4/providers/microsoft.authorization/policydefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with write permissions should be removed from your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithownerpermissionsmonitoringnew339353f6-2387-4a45-abe4-7f529d121046/providers/microsoft.authorization/policydefinitions/339353f6-2387-4a45-abe4-7f529d121046System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with owner permissions on Azure resources should be removed
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithownerpermissionsmonitoringf8456c1c-aa66-4dfb-861a-25d127b775c9/providers/microsoft.authorization/policydefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with owner permissions should be removed from your subscription
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremovedeprecatedaccountmonitoringnew8d7e1fde-fe26-4b5f-8108-f8e432cbc2be/providers/microsoft.authorization/policydefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2beazure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.Security CenterBlocked accounts with read and write permissions on Azure resources should be removed
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c6221d81cec7-7ded-4731-884e-90c5aa59c62255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2sqlserversvirtualmachinesadvanceddatasecuritymonitoringeffect6581d072-105e-4418-827f-bd446d56421b/providers/microsoft.authorization/policydefinitions/6581d072-105e-4418-827f-bd446d56421bSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.Security CenterAzure Defender for SQL servers on machines should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/21d96096-b162-414a-8302-d8354f9d91b221d96096-b162-414a-8302-d8354f9d91b255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/fd1bb084-1503-4bd2-99c0-630220046786fd1bb084-1503-4bd2-99c0-63022004678655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/roledefinitions/fd1bb084-1503-4bd2-99c0-630220046786fd1bb084-1503-4bd2-99c0-63022004678655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnetamatvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnet/subnets/azurebastionsubnetazurebastionsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnetamatvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnet/subnets/adminadmin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnetamatvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnetamatvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.network/virtualnetworks/amatvnetamatvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jump/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc-jumpamatcc-jump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622amatccMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/amatcc/providers/microsoft.compute/virtualmachines/amatcc1amatcc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdjoss-4cdsx3j5brhdj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdjoss-4cdsx3j5brhdj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdjoss-4cdsx3j5brhdj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdjoss-4cdsx3j5brhdj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm51.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm51.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm41.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm51.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljuga/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm41.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm41.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm4armtestvm455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm31.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm31.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm31.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm2armtestvm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm1armtestvm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/server-gzstsmlegeygmljqmztgiljugaserver-gzstsmlegeygmljqmztgiljuga1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm3armtestvm355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtestvm5armtestvm555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdjoss-4cdsx3j5brhdj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdjoss-4cdsx3j5brhdj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdjoss-4cdsx3j5brhdj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdjoss-4cdsx3j5brhdj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdjoss-4cdsx3j5brhdj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdjoss-4cdsx3j5brhdj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdjoss-4cdsx3j5brhdj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugv/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/vizviz55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/lustre-mgtlustre-mgt55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/gatewaysubnetgatewaysubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/computecompute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/loginlogin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/hpcpackhpcpack55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/infrainfra55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet/subnets/anfanf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnetarmtestvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1armtest-mdb155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2privateendpointshouldbeenabledformariadbserversmonitoringeffect0a1302fb-a631-4106-9753-f3d494733990/providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.SQLPrivate endpoint should be enabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1armtest-mdb155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2privateendpointshouldbeenabledformariadbserversmonitoringeffect0a1302fb-a631-4106-9753-f3d494733990/providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.SQLPrivate endpoint should be enabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.DBforMariaDB/serverstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1armtest-mdb11.0.1e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46esecurity center1.0.1deployadvancedthreatprotectiononazuredatabaseformariadbservera6cf7411-da9e-49e2-aec0-cba0250eaf8c/providers/microsoft.authorization/policydefinitions/a6cf7411-da9e-49e2-aec0-cba0250eaf8ctbddeployifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdOpenSourceRelationalDatabasesProtectionSecurityCenter/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/opensourcerelationaldatabasesprotectionsecuritycenterEnable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.SQLConfigure Advanced Threat Protection to be enabled on Azure database for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1armtest-mdb155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffectfdccbe47-f3e3-4213-ad5d-ea459b2fa077/providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDisable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.SQLPublic network access should be disabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1armtest-mdb155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect0ec47710-77ff-4a3d-9181-6aa50af424d0/providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.SQLGeo-redundant backup should be enabled for Azure Database for MariaDB
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1armtest-mdb155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffectfdccbe47-f3e3-4213-ad5d-ea459b2fa077/providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDisable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.SQLPublic network access should be disabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.dbformariadb/servers/armtest-mdb1armtest-mdb155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect0ec47710-77ff-4a3d-9181-6aa50af424d0/providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.SQLGeo-redundant backup should be enabled for Azure Database for MariaDB
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugy/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnetarmtestvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtest-vnetarmtest-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtest-vnet/subnets/computecompute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmovearmtestmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmovearmtestmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1armccstorage155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmovearmtestmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1armccstorage155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1armccstorage155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1armccstorage155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1armccstorage155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1armccstorage155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1armccstorage155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1armccstorage155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmovearmtestmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmovearmtestmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmovearmtestmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmovearmtestmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmovearmtestmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmovearmtestmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmovearmtestmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armtestmovearmtestmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1armccstorage155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/arm-cc-1arm-cc-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachinescalesets/oss-4cdsx3j5brhdjoss-4cdsx3j5brhdj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-cc-vmarmtest-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1armccstorage155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/armtest-jump-vmarmtest-jump-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.storage/storageaccounts/armccstorage1armccstorage155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet2armtestvnet255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtest-vnetarmtest-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet2armtestvnet255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet2armtestvnet255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet2armtestvnet255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/mds-mmztemzug5rtgljxgfswkljugvmds-mmztemzug5rtgljxgfswkljugv1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet2armtestvnet255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnet2/subnets/computecompute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnetarmtestvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnetarmtestvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtest-vnetarmtest-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622armtestMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.network/virtualnetworks/armtestvnetarmtestvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ARMTESTMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/armtest/providers/microsoft.compute/virtualmachines/filer-g5rwmzlemi2gmllemiytaljugyfiler-g5rwmzlemi2gmllemiytaljugy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.MachineLearningServices/workspacestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.machinelearningservices/workspaces/aw-aml-wk2aw-aml-wk255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.MachineLearningServices/workspacestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.machinelearningservices/workspaces/aw-aml-wk2aw-aml-wk255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.containerregistry/registries/awamlacr2awamlacr255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.containerregistry/registries/awamlacr2awamlacr255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.containerregistry/registries/awamlacr2awamlacr255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.containerregistry/registries/awamlacr2awamlacr255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.containerregistry/registries/awamlacr2awamlacr255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799awamlwk2935938679955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799awamlwk2935938679955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799awamlwk2935938679955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799awamlwk2935938679955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799awamlwk2935938679955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.containerregistry/registries/awamlacr2awamlacr255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799awamlwk2935938679955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799awamlwk2935938679955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799awamlwk2935938679955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799awamlwk2935938679955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799awamlwk2935938679955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.storage/storageaccounts/awamlwk29359386799awamlwk2935938679955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622aw-aml-rg2Microsoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-aml-rg2/providers/microsoft.keyvault/vaults/awamlwk26303667602awamlwk2630366760255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2hpck3veskbap4wn255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2hpck3veskbap4wn255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2hpck3veskbap4wn255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2hpck3veskbap4wn255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1aw-hpcpk-kv155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1aw-hpcpk-kv155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1aw-hpcpk-kv155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1aw-hpcpk-kv155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1aw-hpcpk-kv155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1aw-hpcpk-kv155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1aw-hpcpk-kv155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1aw-hpcpk-kv155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1aw-hpcpk-kv155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2hpck3veskbap4wn255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2hpck3veskbap4wn255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2hpck3veskbap4wn255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2hpck3veskbap4wn255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2hpck3veskbap4wn255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2hpck3veskbap4wn255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.keyvault/vaults/aw-hpcpk-kv1aw-hpcpk-kv155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.storage/storageaccounts/hpck3veskbap4wn2hpck3veskbap4wn255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpk/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622awhpcpkMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/awhpcpk/providers/microsoft.compute/virtualmachines/awhpcpkawhpcpk55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622aw-infraMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/aw-infra/providers/microsoft.compute/virtualmachines/aw-dc1aw-dc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2azlcliofilestorepremium255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstorazclcliobenchstor55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstorazclcliobenchstor55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstorazclcliobenchstor55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstorazclcliobenchstor55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstorazclcliobenchstor55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstorazclcliobenchstor55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstorazclcliobenchstor55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstorazclcliobenchstor55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstorazclcliobenchstor55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2azlcliofilestorepremium255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2azlcliofilestorepremium255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2azlcliofilestorepremium255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2azlcliofilestorepremium255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2azlcliofilestorepremium255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2azlcliofilestorepremium255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2azlcliofilestorepremium255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstorazclcliobenchstor55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2azlcliofilestorepremium255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2azlcliofilestorepremium255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azlcliofilestorepremium2azlcliofilestorepremium255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.network/virtualnetworks/clio-vnetclio-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.network/virtualnetworks/clio-vnetclio-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreate/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.network/virtualnetworks/clio-vnetclio-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.network/virtualnetworks/clio-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.network/virtualnetworks/clio-vnet/subnets/sn-anfsn-anf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.storage/storageaccounts/azclcliobenchstorazclcliobenchstor55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.network/virtualnetworks/clio-vnet/subnets/sn-computesn-compute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622azcl-cliobenchMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azcl-cliobench/providers/microsoft.compute/virtualmachines/azcl-imagecreateazcl-imagecreate55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.network/virtualnetworks/vnet-spillvnet-spill55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.network/virtualnetworks/vnet-spillvnet-spill55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.network/virtualnetworks/vnet-spill/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.network/virtualnetworks/vnet-spillvnet-spill55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622azhpc-spillboxMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azhpc-spillbox/providers/microsoft.compute/virtualmachines/azhpc-spillboxjumpazhpc-spillboxjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.network/virtualnetworks/vnet-mcpreview/subnets/sn-computesn-compute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622az-MC-preview-rgMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiagazmcpreviewrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.network/virtualnetworks/vnet-mcpreviewvnet-mcpreview55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.network/virtualnetworks/vnet-mcpreviewvnet-mcpreview55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622az-MC-preview-rgMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiagazmcpreviewrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622az-MC-preview-rgMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiagazmcpreviewrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622az-MC-preview-rgMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiagazmcpreviewrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622az-MC-preview-rgMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiagazmcpreviewrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622az-MC-preview-rgMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiagazmcpreviewrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622az-MC-preview-rgMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiagazmcpreviewrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622az-MC-preview-rgMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiagazmcpreviewrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622az-MC-preview-rgMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiagazmcpreviewrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.network/virtualnetworks/vnet-mcpreview/subnets/sn-anfsn-anf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.network/virtualnetworks/vnet-mcpreview/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622az-MC-preview-rgMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiagazmcpreviewrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.network/virtualnetworks/vnet-mcpreviewvnet-mcpreview55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622az-MC-preview-rgMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.storage/storageaccounts/azmcpreviewrgdiagazmcpreviewrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622az-mc-preview-rgMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/az-mc-preview-rg/providers/microsoft.compute/virtualmachines/az-mc-previewvm01az-mc-previewvm0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.network/virtualnetworks/azpr-sixnines-pure-vnet01azpr-sixnines-pure-vnet0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.network/virtualnetworks/azpr-sixnines-pure-vnet01azpr-sixnines-pure-vnet0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.network/virtualnetworks/azpr-sixnines-pure-vnet01/subnets/storagestorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.network/virtualnetworks/azpr-sixnines-pure-vnet01/subnets/computecompute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.network/virtualnetworks/azpr-sixnines-pure-vnet01/subnets/cyclecycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.network/virtualnetworks/azpr-sixnines-pure-vnet01azpr-sixnines-pure-vnet0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudserver/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622AZPR-SIXNINES-PUREMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/cyclecloudservercyclecloudserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-linux-01ck-linux-011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622azpr-sixnines-pureMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azpr-sixnines-pure/providers/microsoft.compute/virtualmachines/ck-win-01ck-win-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.network/virtualnetworks/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnetazurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.network/virtualnetworks/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnet/subnets/subnet-1subnet-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.network/virtualnetworks/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnetazurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.network/virtualnetworks/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnetazurebatch-356b4899-5167-4e58-94ed-64c54f929c08-cvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622AzureBatch-356b4899-5167-4e58-94ed-64c54f929c08-CMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/azurebatch-356b4899-5167-4e58-94ed-64c54f929c08-c/providers/microsoft.compute/virtualmachinescalesets/356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d356b4899-5167-4e58-94ed-64c54f929c08-azurebatch-vmss-d55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-southcentralusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86cs710030000a84d7f8655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-southcentralusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86cs710030000a84d7f8655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-southcentralusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86cs710030000a84d7f8655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-southcentralusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86cs710030000a84d7f8655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-southcentralusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86cs710030000a84d7f8655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-southcentralusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86cs710030000a84d7f8655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-southcentralusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86cs710030000a84d7f8655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-southcentralusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86cs710030000a84d7f8655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-southcentralusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86cs710030000a84d7f8655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-southcentralusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86cs710030000a84d7f8655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-southcentralusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-southcentralus/providers/microsoft.storage/storageaccounts/cs710030000a84d7f86cs710030000a84d7f8655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-westusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56cs410030000a84e3c5655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-westusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56cs410030000a84e3c5655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-westusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56cs410030000a84e3c5655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-westusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56cs410030000a84e3c5655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-westusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56cs410030000a84e3c5655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-westusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56cs410030000a84e3c5655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-westusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56cs410030000a84e3c5655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-westusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56cs410030000a84e3c5655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-westusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56cs410030000a84e3c5655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-westusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56cs410030000a84e3c5655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622cloud-shell-storage-westusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/cloud-shell-storage-westus/providers/microsoft.storage/storageaccounts/cs410030000a84e3c56cs410030000a84e3c5655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622defaultresourcegroup-scusmicrosoft.operationalinsights/workspaces/linkedServicestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/linkedservices/securitysecurityAutomanage workspace policy/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policydefinitions/automanage workspace policytbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/DefaultResourceGroup-SCUS/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-SCUStbdAutomanage workspace assignment/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/providers/microsoft.authorization/policyassignments/automanage workspace assignmentMonitors workspace and ensures the automation account is linkedGeneralAutomanage workspace policy
1d81cec7-7ded-4731-884e-90c5aa59c622DefaultResourceGroup-SCUSMicrosoft.OperationsManagement/solutionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationsmanagement/solutions/changetracking(defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus)changetracking(defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus)Automanage solutions policy/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policydefinitions/automanage solutions policytbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/DefaultResourceGroup-SCUS/providers/Microsoft.OperationsManagement/solutions/ChangeTracking(DefaultWorkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-SCUS)tbdAutomanage ChangeTracking solution assignment/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationsmanagement/solutions/changetracking(defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus)/providers/microsoft.authorization/policyassignments/automanage changetracking solution assignmentMonitors the Solution and ensures the workspace is linkedGeneralAutomanage solutions policy
1d81cec7-7ded-4731-884e-90c5aa59c622DefaultResourceGroup-SCUSMicrosoft.OperationsManagement/solutionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationsmanagement/solutions/vminsights(defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus)vminsights(defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus)Automanage solutions policy/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policydefinitions/automanage solutions policytbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/DefaultResourceGroup-SCUS/providers/Microsoft.OperationsManagement/solutions/VMInsights(DefaultWorkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-SCUS)tbdAutomanage VMInsights solution assignment/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationsmanagement/solutions/vminsights(defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus)/providers/microsoft.authorization/policyassignments/automanage vminsights solution assignmentMonitors the Solution and ensures the workspace is linkedGeneralAutomanage solutions policy
1d81cec7-7ded-4731-884e-90c5aa59c622DefaultResourceGroup-SCUSMicrosoft.Automation/automationAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.automation/automationaccounts/automate-1d81cec7-7ded-4731-884e-90c5aa59c622-scusautomate-1d81cec7-7ded-4731-884e-90c5aa59c622-scusAutomanage automation account policy/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policydefinitions/automanage automation account policytbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/DefaultResourceGroup-SCUS/providers/Microsoft.Automation/automationAccounts/Automate-1d81cec7-7ded-4731-884e-90c5aa59c622-SCUStbdAutomanage automation account assignment/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.automation/automationaccounts/automate-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/providers/microsoft.authorization/policyassignments/automanage automation account assignmentMonitors the Automation Account and ensures the location and name don't changeGeneralAutomanage automation account policy
1d81cec7-7ded-4731-884e-90c5aa59c622defaultresourcegroup-scusMicrosoft.OperationalInsights/workspaces/linkedservicestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/linkedservices/automationautomationAutomanage workspace policy/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policydefinitions/automanage workspace policytbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/DefaultResourceGroup-SCUS/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-SCUStbdAutomanage workspace assignment/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/providers/microsoft.authorization/policyassignments/automanage workspace assignmentMonitors workspace and ensures the automation account is linkedGeneralAutomanage workspace policy
1d81cec7-7ded-4731-884e-90c5aa59c622defaultresourcegroup-scusMicrosoft.OperationalInsights/workspaces/linkedservicestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/linkedservices/securitysecurityAutomanage workspace policy/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policydefinitions/automanage workspace policytbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/DefaultResourceGroup-SCUS/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-SCUStbdAutomanage workspace assignment/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/defaultresourcegroup-scus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-1d81cec7-7ded-4731-884e-90c5aa59c622-scus/providers/microsoft.authorization/policyassignments/automanage workspace assignmentMonitors workspace and ensures the automation account is linkedGeneralAutomanage workspace policy
1d81cec7-7ded-4731-884e-90c5aa59c622EDA-HFSS-OptMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackupedahfssoptbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622EDA-HFSS-OptMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackupedahfssoptbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622EDA-HFSS-OptMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackupedahfssoptbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622EDA-HFSS-OptMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackupedahfssoptbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622EDA-HFSS-OptMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackupedahfssoptbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622EDA-HFSS-OptMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackupedahfssoptbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622EDA-HFSS-OptMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackupedahfssoptbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622EDA-HFSS-OptMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackupedahfssoptbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622EDA-HFSS-OptMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackupedahfssoptbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622EDA-HFSS-OptMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackupedahfssoptbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622EDA-HFSS-OptMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/eda-hfss-opt/providers/microsoft.storage/storageaccounts/edahfssoptbackupedahfssoptbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622gmdataMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackupgmstoragbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622gmdataMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackupgmstoragbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622gmdataMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackupgmstoragbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622gmdataMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackupgmstoragbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622gmdataMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackupgmstoragbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622gmdataMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackupgmstoragbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622gmdataMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackupgmstoragbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622gmdataMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackupgmstoragbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622gmdataMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackupgmstoragbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622gmdataMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackupgmstoragbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622gmdataMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/gmdata/providers/microsoft.storage/storageaccounts/gmstoragbackupgmstoragbackup55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingsingularitytesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2gbbedawestus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingpublicsingularitytestingpublic55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.ContainerRegistry/registriestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingsingularitytesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2gbbedawestus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622intel_edaMicrosoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnetintel_eda-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622intel_edaMicrosoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnetintel_eda-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622intel_edaMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnetintel_eda-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622intel_edaMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnetintel_eda-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622intel_edaMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.ContainerRegistry/registriestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingsingularitytesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingpublicsingularitytestingpublic55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingpublicsingularitytestingpublic55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2gbbedawestus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2gbbedawestus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingpublicsingularitytestingpublic55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2gbbedawestus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2gbbedawestus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2gbbedawestus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2gbbedawestus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2gbbedawestus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2gbbedawestus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingpublicsingularitytestingpublic55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingsingularitytesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622intel_edaMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnetintel_eda-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.ContainerRegistry/registriestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingsingularitytesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.ContainerRegistry/registriestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingsingularitytesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.containerregistry/registries/singularitytestingpublicsingularitytestingpublic55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622intel_edaMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnet/subnets/sn-hpccachesn-hpccache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.storage/storageaccounts/gbbedawestus2gbbedawestus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622intel_edaMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.network/virtualnetworks/intel_eda-vnet/subnets/sn-anfsn-anf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.keyvault/vaults/pocintelkvv2pocintelkvv255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleserver/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDAMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDA_West3Microsoft.Compute/virtualMachines/extensionstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622Intel_EDA_West3Microsoft.Compute/virtualMachines/extensionstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3test/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.network/virtualnetworks/intel_eda_west3-vnetintel_eda_west3-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.network/virtualnetworks/intel_eda_west3-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.network/virtualnetworks/intel_eda_west3-vnetintel_eda_west3-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.network/virtualnetworks/intel_eda_west3-vnetintel_eda_west3-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622intel_eda_west3Microsoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/intel_eda_west3/providers/microsoft.compute/virtualmachines/west3testwest3test1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JA-CAEHPCMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiagjacaehpcbootdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.network/virtualnetworks/ja-wus2-vnetja-wus2-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.network/virtualnetworks/ja-wus2-vnetja-wus2-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.network/virtualnetworks/ja-wus2-vnetja-wus2-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.network/virtualnetworks/ja-wus2-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.network/virtualnetworks/ja-wus2-vnetja-wus2-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.network/virtualnetworks/ja-wus2-vnetja-wus2-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JA-CAEHPCMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiagjacaehpcbootdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622JA-CAEHPCMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiagjacaehpcbootdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622JA-CAEHPCMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiagjacaehpcbootdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JA-CAEHPCMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiagjacaehpcbootdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JA-CAEHPCMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiagjacaehpcbootdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622JA-CAEHPCMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiagjacaehpcbootdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JA-CAEHPCMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiagjacaehpcbootdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JA-CAEHPCMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiagjacaehpcbootdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JA-CAEHPCMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiagjacaehpcbootdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ja-caehpcMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.compute/virtualmachines/imagebuildimagebuild55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JA-CAEHPCMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-caehpc/providers/microsoft.storage/storageaccounts/jacaehpcbootdiagjacaehpcbootdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.network/virtualnetworks/jacsanet/subnets/hpccachesnhpccachesn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsacsatrainsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsacsatrainsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.network/virtualnetworks/jacsanetjacsanet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsacsatrainsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsacsatrainsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsacsatrainsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.network/virtualnetworks/jacsanetjacsanet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.network/virtualnetworks/jacsanetjacsanet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsacsatrainsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsacsatrainsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.network/virtualnetworks/jacsanet/subnets/adminadmin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsacsatrainsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsacsatrainsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsacsatrainsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622ja-csatrainingMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ja-csatraining/providers/microsoft.storage/storageaccounts/csatrainsacsatrainsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnetja-itt-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnetja-itt-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtestittcyclecloudtest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtestittcyclecloudtest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtestittcyclecloudtest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtestittcyclecloudtest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtestittcyclecloudtest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtestittcyclecloudtest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtestittcyclecloudtest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtestittcyclecloudtest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtestittcyclecloudtest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtestittcyclecloudtest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnet/subnets/adminadmin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnet/subnets/azurebastionsubnetazurebastionsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.storage/storageaccounts/ittcyclecloudtestittcyclecloudtest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnetja-itt-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnetja-itt-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloud/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjump/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.network/virtualnetworks/ja-itt-vnetja-itt-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/winjumpwinjump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaittMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaitt/providers/microsoft.compute/virtualmachines/ittcyclecloudittcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc82330231.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiagjaregentdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/winjumpwinjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnetregentvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnetregentvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnetregentvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnetregentvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnetregentvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnet/subnets/adminadmin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnet/subnets/anfsubnetanfsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.network/virtualnetworks/regentvnet/subnets/azurebastionsubnetazurebastionsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc82330231.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc82330231.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/cc8233023cc823302355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiagjaregentdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.compute/virtualmachines/regentcycleregentcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiagjaregentdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloudregentcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiagjaregentdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiagjaregentdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiagjaregentdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloudregentcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloudregentcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloudregentcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloudregentcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloudregentcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloudregentcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloudregentcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloudregentcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloudregentcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiagjaregentdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiagjaregentdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/regentcyclecloudregentcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiagjaregentdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiagjaregentdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jaregentMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jaregent/providers/microsoft.storage/storageaccounts/jaregentdiagjaregentdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jdtest-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jdtest-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtesting/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jdtest-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.network/virtualnetworks/jdtest-rg-vnetjdtest-rg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jdtest-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.network/virtualnetworks/jdtest-rg-vnetjdtest-rg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jdtest-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.network/virtualnetworks/jdtest-rg-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jdtest-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.network/virtualnetworks/jdtest-rg-vnetjdtest-rg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.compute/virtualmachines/jdtestingjdtesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstoragejdtestingstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstoragejdtestingstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstoragejdtestingstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstoragejdtestingstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstoragejdtestingstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstoragejdtestingstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstoragejdtestingstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstoragejdtestingstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstoragejdtestingstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstoragejdtestingstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622JDTest-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jdtest-rg/providers/microsoft.storage/storageaccounts/jdtestingstoragejdtestingstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.DBforMariaDB/serverstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdbuclaslurmacctgdb55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffectfdccbe47-f3e3-4213-ad5d-ea459b2fa077/providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDisable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.SQLPublic network access should be disabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.DBforMariaDB/serverstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdbuclaslurmacctgdb55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect0ec47710-77ff-4a3d-9181-6aa50af424d0/providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.SQLGeo-redundant backup should be enabled for Azure Database for MariaDB
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vulnerabilityassessmentonservermonitoringef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9/providers/microsoft.authorization/policydefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.SQLVulnerability assessment should be enabled on your SQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0sqlserversshouldbeconfiguredwithauditingretentiondaysgreaterthan90daysmonitoringeffect89099bee-89e0-4b26-a5f4-165451757743/providers/microsoft.authorization/policydefinitions/89099bee-89e0-4b26-a5f4-165451757743azure_security_benchmark_v3.0_lt-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineFor incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.SQLSQL servers with auditing to storage account destination should be configured with 90 days retention or higher
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vulnerabilityassessmentonservermonitoringef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9/providers/microsoft.authorization/policydefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.SQLVulnerability assessment should be enabled on your SQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0sqldbvulnerabilityassesmentmonitoringfeedbf84-6b99-488c-acc2-71c829aa5ffc/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffcazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.Security CenterSQL databases should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.DBforMariaDB/serverstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdbuclaslurmacctgdb55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect0ec47710-77ff-4a3d-9181-6aa50af424d0/providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.SQLGeo-redundant backup should be enabled for Azure Database for MariaDB
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect1b8ca024-1d5c-4dec-8995-b1a932b41780/providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.SQLPublic network access on Azure SQL Database should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0sqldbvulnerabilityassesmentmonitoringfeedbf84-6b99-488c-acc2-71c829aa5ffc/providers/microsoft.authorization/policydefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffcazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.Security CenterSQL databases should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0sqlserverauditingmonitoringa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9/providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAuditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.SQLAuditing on SQL server should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.DBforMariaDB/serverstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdbuclaslurmacctgdb55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2privateendpointshouldbeenabledformariadbserversmonitoringeffect0a1302fb-a631-4106-9753-f3d494733990/providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.SQLPrivate endpoint should be enabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.DBforMariaDB/serverstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdbuclaslurmacctgdb55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2privateendpointshouldbeenabledformariadbserversmonitoringeffect0a1302fb-a631-4106-9753-f3d494733990/providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.SQLPrivate endpoint should be enabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-rg-vnetjemorey-scus-rg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0aadauthenticationinsqlservermonitoring1f314764-cb73-4fc9-b863-8eca98ac36e9/providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9azure_security_benchmark_v3.0_im-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft servicesSQLAn Azure Active Directory administrator should be provisioned for SQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-vnetjemorey-scus-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect7698e800-9299-47a6-b3b6-5a0fee576eed/providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eedazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.SQLPrivate endpoint connections on Azure SQL Database should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-rg-vnetjemorey-scus-rg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1sqlserveradvanceddatasecuritymonitoringabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit SQL servers without Advanced Data SecuritySQLAzure Defender for SQL should be enabled for unprotected Azure SQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-vnetjemorey-scus-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.DBforMariaDB/serverstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdbuclaslurmacctgdb1.0.1e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46esecurity center1.0.1deployadvancedthreatprotectiononazuredatabaseformariadbservera6cf7411-da9e-49e2-aec0-cba0250eaf8c/providers/microsoft.authorization/policydefinitions/a6cf7411-da9e-49e2-aec0-cba0250eaf8ctbddeployifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdOpenSourceRelationalDatabasesProtectionSecurityCenter/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/opensourcerelationaldatabasesprotectionsecuritycenterEnable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.SQLConfigure Advanced Threat Protection to be enabled on Azure database for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0sqlserversshouldbeconfiguredwithauditingretentiondaysgreaterthan90daysmonitoringeffect89099bee-89e0-4b26-a5f4-165451757743/providers/microsoft.authorization/policydefinitions/89099bee-89e0-4b26-a5f4-165451757743azure_security_benchmark_v3.0_lt-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinFor incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.SQLSQL servers with auditing to storage account destination should be configured with 90 days retention or higher
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.DBforMariaDB/serverstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.dbformariadb/servers/uclaslurmacctgdbuclaslurmacctgdb55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffectfdccbe47-f3e3-4213-ad5d-ea459b2fa077/providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDisable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.SQLPublic network access should be disabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0publicnetworkaccessonazuresqldatabaseshouldbedisabledmonitoringeffect1b8ca024-1d5c-4dec-8995-b1a932b41780/providers/microsoft.authorization/policydefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.SQLPublic network access on Azure SQL Database should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0aadauthenticationinsqlservermonitoring1f314764-cb73-4fc9-b863-8eca98ac36e9/providers/microsoft.authorization/policydefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9azure_security_benchmark_v3.0_im-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft servicesSQLAn Azure Active Directory administrator should be provisioned for SQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1sqlserveradvanceddatasecuritymonitoringabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9/providers/microsoft.authorization/policydefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit SQL servers without Advanced Data SecuritySQLAzure Defender for SQL should be enabled for unprotected Azure SQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-rg-vnetjemorey-scus-rg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0privateendpointconnectionsonazuresqldatabaseshouldbeenabledmonitoringeffect7698e800-9299-47a6-b3b6-5a0fee576eed/providers/microsoft.authorization/policydefinitions/7698e800-9299-47a6-b3b6-5a0fee576eedazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.SQLPrivate endpoint connections on Azure SQL Database should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-vnetjemorey-scus-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct3.0.09cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97security center2.1.0deploythreatdetectiononsqlservers36d49e87-48c4-4f2e-beed-ba4ed02b71f5/providers/microsoft.authorization/policydefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5tbddeployifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdDataProtectionSecurityCenter/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/dataprotectionsecuritycenterEnable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.SQLConfigure Azure Defender to be enabled on SQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-vnet/subnets/jmgbb-hpcc-scus-snjmgbb-hpcc-scus-sn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-vnet/subnets/jm-gbb-anf-scus-snjm-gbb-anf-scus-sn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-vnet/subnets/jemorey-compute-snjemorey-compute-sn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Sql/serverstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/Microsoft.Sql/servers/jmorey-sacctjmorey-sacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0sqlserverauditingmonitoringa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9/providers/microsoft.authorization/policydefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAuditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.SQLAuditing on SQL server should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jemorey-scus-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jemorey-scus-rg/providers/microsoft.network/virtualnetworks/jemorey-scus-rg-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-acr-eus-rgMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-acr-eus-rg/providers/microsoft.containerregistry/registries/jmacreusjmacreus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
1d81cec7-7ded-4731-884e-90c5aa59c622jm-acr-eus-rgMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-acr-eus-rg/providers/microsoft.containerregistry/registries/jmacreusjmacreus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-acr-eus-rgMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-acr-eus-rg/providers/microsoft.containerregistry/registries/jmacreusjmacreus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-acr-eus-rgMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-acr-eus-rg/providers/microsoft.containerregistry/registries/jmacreusjmacreus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-acr-eus-rgMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-acr-eus-rg/providers/microsoft.containerregistry/registries/jmacreusjmacreus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-acr-eus-rgMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-acr-eus-rg/providers/microsoft.containerregistry/registries/jmacreusjmacreus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
1d81cec7-7ded-4731-884e-90c5aa59c622jm-aks-rgMicrosoft.ContainerService/managedClusterstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmaksclusterjmakscluster55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0azurekubernetesserviceclustersshouldhavesecurityprofileenableda1840de2-8088-4ea8-b153-b4c723e9cb01/providers/microsoft.authorization/policydefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aksKubernetesAzure Kubernetes Service clusters should have Defender profile enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-aks-rgMicrosoft.ContainerService/managedClusterstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmaksclusterjmakscluster55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0diagnosticslogsinkubernetesmonitoring245fc9df-fa96-4414-9a0b-3738c2f7341c/providers/microsoft.authorization/policydefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341ctbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when neededKubernetesResource logs in Azure Kubernetes Service should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-aks-rgMicrosoft.ContainerService/managedClusterstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmaksclusterjmakscluster55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0diagnosticslogsinkubernetesmonitoring245fc9df-fa96-4414-9a0b-3738c2f7341c/providers/microsoft.authorization/policydefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341ctbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when neededKubernetesResource logs in Azure Kubernetes Service should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-aks-rgMicrosoft.ContainerService/managedClusterstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmaksclusterjmakscluster55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2azurepolicyaddonstatus0a15ec92-a229-4763-bb14-0ea34a568f8d/providers/microsoft.authorization/policydefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8dazure_security_benchmark_v3.0_pv-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.KubernetesAzure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters
1d81cec7-7ded-4731-884e-90c5aa59c622jm-aks-rgMicrosoft.ContainerService/managedClusterstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmaksclusterjmakscluster55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1kubernetesrunningimagesvulnerabilityassessment0fc39691-5a3f-4e3e-94ee-2e6447309ad9/providers/microsoft.authorization/policydefinitions/0fc39691-5a3f-4e3e-94ee-2e6447309ad9System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineContainer image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterRunning container images should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-aks-rgMicrosoft.ContainerService/managedClusterstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmaksclusterjmakscluster55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0azurekubernetesserviceclustersshouldhavesecurityprofileenableda1840de2-8088-4ea8-b153-b4c723e9cb01/providers/microsoft.authorization/policydefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMicrosoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aksKubernetesAzure Kubernetes Service clusters should have Defender profile enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-aks-rgMicrosoft.ContainerService/managedClusterstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmaksclusterjmakscluster55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2kubernetesservicerbacenabledmonitoringac4a19c2-fa67-49b4-8ae5-0b2e78c49457/providers/microsoft.authorization/policydefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.Security CenterRole-Based Access Control (RBAC) should be used on Kubernetes Services
1d81cec7-7ded-4731-884e-90c5aa59c622jm-aks-rgMicrosoft.ContainerService/managedClusterstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmaksclusterjmakscluster55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1kubernetesserviceauthorizediprangesenabledmonitoring0e246bcf-5f6f-4f87-bc6f-775d4712c7ea/providers/microsoft.authorization/policydefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7eaazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.Security CenterAuthorized IP ranges should be defined on Kubernetes Services
1d81cec7-7ded-4731-884e-90c5aa59c622jm-aks-rgMicrosoft.ContainerService/managedClusterstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmaksclusterjmakscluster55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1kubernetesserviceauthorizediprangesenabledmonitoring0e246bcf-5f6f-4f87-bc6f-775d4712c7ea/providers/microsoft.authorization/policydefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7eaazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.Security CenterAuthorized IP ranges should be defined on Kubernetes Services
1d81cec7-7ded-4731-884e-90c5aa59c622jm-aks-rgMicrosoft.ContainerService/managedClusterstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmaksclusterjmakscluster55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2kubernetesservicerbacenabledmonitoringac4a19c2-fa67-49b4-8ae5-0b2e78c49457/providers/microsoft.authorization/policydefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457azure_security_benchmark_v3.0_pa-7tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.Security CenterRole-Based Access Control (RBAC) should be used on Kubernetes Services
1d81cec7-7ded-4731-884e-90c5aa59c622jm-aks-rgMicrosoft.ContainerService/managedClusterstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmaksclusterjmakscluster55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1kubernetesrunningimagesvulnerabilityassessment0fc39691-5a3f-4e3e-94ee-2e6447309ad9/providers/microsoft.authorization/policydefinitions/0fc39691-5a3f-4e3e-94ee-2e6447309ad9System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterRunning container images should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-aks-rgMicrosoft.ContainerService/managedClusterstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-aks-rg/providers/microsoft.containerservice/managedclusters/jmaksclusterjmakscluster55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2azurepolicyaddonstatus0a15ec92-a229-4763-bb14-0ea34a568f8d/providers/microsoft.authorization/policydefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8dazure_security_benchmark_v3.0_pv-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.KubernetesAzure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportal/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/scheduler/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ad/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhood/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemand/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-1lustre-oss-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafana/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-01.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/robinhoodrobinhood55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpbox/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-01.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-01.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/lustre-oss-0lustre-oss-055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EUS-WKG-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnetjm-azhop-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.DBforMySQL/serverstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08azhop-2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1enforcesslconnectionshouldbeenabledformysqldatabaseserversmonitoringeffecte802a67a-daf5-4436-9ea6-f6d821dd0c5d/providers/microsoft.authorization/policydefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5dazure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.SQLEnforce SSL connection should be enabled for MySQL database servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnetjm-azhop-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.DBforMySQL/serverstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08azhop-2m19zo081.0.1e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46esecurity center1.0.1deployatponazuredatabaseformysqlserver80ed5239-4122-41ed-b54a-6f1fa7552816/providers/microsoft.authorization/policydefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816tbddeployifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdOpenSourceRelationalDatabasesProtectionSecurityCenter/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/opensourcerelationaldatabasesprotectionsecuritycenterEnable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.SQLConfigure Advanced Threat Protection to be enabled on Azure database for MySQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08azhop2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.DBforMySQL/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08azhop-2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2privateendpointshouldbeenabledformysqlserversmonitoringeffect7595c971-233d-4bcf-bd18-596129188c49/providers/microsoft.authorization/policydefinitions/7595c971-233d-4bcf-bd18-596129188c49azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.SQLPrivate endpoint should be enabled for MySQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08azhop2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnetjm-azhop-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet/subnets/netappnetapp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet/subnets/computecompute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet/subnets/frontendfrontend55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet/subnets/adminadmin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnetjm-azhop-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnet/subnets/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.network/virtualnetworks/jm-azhop-vnetjm-azhop-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.DBforMySQL/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08azhop-2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0publicnetworkaccessshouldbedisabledformysqlserversmonitoringeffectd9844e8a-1437-4aeb-a32c-0c992f056095/providers/microsoft.authorization/policydefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDisable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.SQLPublic network access should be disabled for MySQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08azhop2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.DBforMySQL/serverstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08azhop-2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1enforcesslconnectionshouldbeenabledformysqldatabaseserversmonitoringeffecte802a67a-daf5-4436-9ea6-f6d821dd0c5d/providers/microsoft.authorization/policydefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5dazure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.SQLEnforce SSL connection should be enabled for MySQL database servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08azhop2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08azhop2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.DBforMySQL/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08azhop-2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1georedundantbackupshouldbeenabledforazuredatabaseformysqlmonitoringeffect82339799-d096-41ae-8538-b108becf0970/providers/microsoft.authorization/policydefinitions/82339799-d096-41ae-8538-b108becf0970System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.SQLGeo-redundant backup should be enabled for Azure Database for MySQL
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.DBforMySQL/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08azhop-2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0publicnetworkaccessshouldbedisabledformysqlserversmonitoringeffectd9844e8a-1437-4aeb-a32c-0c992f056095/providers/microsoft.authorization/policydefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDisable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.SQLPublic network access should be disabled for MySQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08azhop2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.DBforMySQL/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08azhop-2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2privateendpointshouldbeenabledformysqlserversmonitoringeffect7595c971-233d-4bcf-bd18-596129188c49/providers/microsoft.authorization/policydefinitions/7595c971-233d-4bcf-bd18-596129188c49azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.SQLPrivate endpoint should be enabled for MySQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.DBforMySQL/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.dbformysql/servers/azhop-2m19zo08azhop-2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1georedundantbackupshouldbeenabledforazuredatabaseformysqlmonitoringeffect82339799-d096-41ae-8538-b108becf0970/providers/microsoft.authorization/policydefinitions/82339799-d096-41ae-8538-b108becf0970System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.SQLGeo-redundant backup should be enabled for Azure Database for MySQL
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08azhop2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08azhop2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08azhop2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08azhop2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.storage/storageaccounts/azhop2m19zo08azhop2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-eus-wkg-rgMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-eus-wkg-rg/providers/microsoft.keyvault/vaults/kv2m19zo08kv2m19zo0855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseusjmazhopnfseus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseusjmazhopnfseus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifaazhopsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseusjmazhopnfseus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifaazhopsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifaazhopsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifaazhopsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseusjmazhopnfseus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifaazhopsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseusjmazhopnfseus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifaazhopsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseusjmazhopnfseus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseusjmazhopnfseus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseusjmazhopnfseus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifaazhopsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseusjmazhopnfseus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifaazhopsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseusjmazhopnfseus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifaazhopsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnetjm-azhop-existing-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnetjm-azhop-existing-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet/subnets/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet/subnets/adminadmin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet/subnets/computecompute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet/subnets/frontendfrontend55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet/subnets/netappnetapp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnetjm-azhop-existing-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnetjm-azhop-existing-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnetjm-azhop-existing-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.network/virtualnetworks/jm-azhop-existing-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ad/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/jmazhopnfseusjmazhopnfseus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifaazhopsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpbox/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamole/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/scheduler/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemand/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/jumpboxjumpbox55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.storage/storageaccounts/azhopsryejifaazhopsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportal/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafana/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.keyvault/vaults/kvsryejifakvsryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.DBforMySQL/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifaazhop-sryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0publicnetworkaccessshouldbedisabledformysqlserversmonitoringeffectd9844e8a-1437-4aeb-a32c-0c992f056095/providers/microsoft.authorization/policydefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDisable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.SQLPublic network access should be disabled for MySQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.DBforMySQL/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifaazhop-sryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1georedundantbackupshouldbeenabledforazuredatabaseformysqlmonitoringeffect82339799-d096-41ae-8538-b108becf0970/providers/microsoft.authorization/policydefinitions/82339799-d096-41ae-8538-b108becf0970System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.SQLGeo-redundant backup should be enabled for Azure Database for MySQL
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.DBforMySQL/serverstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifaazhop-sryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1enforcesslconnectionshouldbeenabledformysqldatabaseserversmonitoringeffecte802a67a-daf5-4436-9ea6-f6d821dd0c5d/providers/microsoft.authorization/policydefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5dazure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.SQLEnforce SSL connection should be enabled for MySQL database servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ccportalccportal55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.DBforMySQL/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifaazhop-sryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0publicnetworkaccessshouldbedisabledformysqlserversmonitoringeffectd9844e8a-1437-4aeb-a32c-0c992f056095/providers/microsoft.authorization/policydefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDisable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.SQLPublic network access should be disabled for MySQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.DBforMySQL/serverstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifaazhop-sryejifa1.0.1e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46esecurity center1.0.1deployatponazuredatabaseformysqlserver80ed5239-4122-41ed-b54a-6f1fa7552816/providers/microsoft.authorization/policydefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816tbddeployifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdOpenSourceRelationalDatabasesProtectionSecurityCenter/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/opensourcerelationaldatabasesprotectionsecuritycenterEnable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.SQLConfigure Advanced Threat Protection to be enabled on Azure database for MySQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.DBforMySQL/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifaazhop-sryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2privateendpointshouldbeenabledformysqlserversmonitoringeffect7595c971-233d-4bcf-bd18-596129188c49/providers/microsoft.authorization/policydefinitions/7595c971-233d-4bcf-bd18-596129188c49azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.SQLPrivate endpoint should be enabled for MySQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-EXISTINGSUBNETMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/schedulerscheduler55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.DBforMySQL/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifaazhop-sryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2privateendpointshouldbeenabledformysqlserversmonitoringeffect7595c971-233d-4bcf-bd18-596129188c49/providers/microsoft.authorization/policydefinitions/7595c971-233d-4bcf-bd18-596129188c49azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.SQLPrivate endpoint should be enabled for MySQL servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/ondemandondemand55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.DBforMySQL/serverstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifaazhop-sryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1enforcesslconnectionshouldbeenabledformysqldatabaseserversmonitoringeffecte802a67a-daf5-4436-9ea6-f6d821dd0c5d/providers/microsoft.authorization/policydefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5dazure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.SQLEnforce SSL connection should be enabled for MySQL database servers
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/grafanagrafana55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.DBforMySQL/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.dbformysql/servers/azhop-sryejifaazhop-sryejifa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1georedundantbackupshouldbeenabledforazuredatabaseformysqlmonitoringeffect82339799-d096-41ae-8538-b108becf0970/providers/microsoft.authorization/policydefinitions/82339799-d096-41ae-8538-b108becf0970System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.SQLGeo-redundant backup should be enabled for Azure Database for MySQL
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-existingsubnetMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-existingsubnet/providers/microsoft.compute/virtualmachines/guacamoleguacamole55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eus/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-rg-eusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnethpcvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-rg-eusMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet/subnets/adad55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-rg-eusMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet/subnets/adminadmin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-rg-eusMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet/subnets/computecompute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-rg-eusMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet/subnets/frontendfrontend55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-rg-eusMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet/subnets/gatewaysubnetgatewaysubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-rg-eusMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnet/subnets/netappnetapp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-AZHOP-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.compute/virtualmachines/jm-azhop-deployer-vm-eusjm-azhop-deployer-vm-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-rg-eusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnethpcvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-azhop-rg-eusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-azhop-rg-eus/providers/microsoft.network/virtualnetworks/hpcvnethpcvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsajmgbbbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsajmgbbbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsajmgbbbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsajmgbbbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssajmgbbbootdiagssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.VirtualMachineImages/imageTemplatestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.virtualmachineimages/imagetemplates/relionimagetemplateforsig02relionimagetemplateforsig0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0vmimagebuildertemplatesshoulduseprivatelinkmonitoringeffect2154edb9-244f-4741-9970-660785bccdaa/providers/microsoft.authorization/policydefinitions/2154edb9-244f-4741-9970-660785bccdaaazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet.VM Image BuilderVM Image Builder templates should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.VirtualMachineImages/imageTemplatestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.virtualmachineimages/imagetemplates/relionimagetemplateforsig03relionimagetemplateforsig0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0vmimagebuildertemplatesshoulduseprivatelinkmonitoringeffect2154edb9-244f-4741-9970-660785bccdaa/providers/microsoft.authorization/policydefinitions/2154edb9-244f-4741-9970-660785bccdaaazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet.VM Image BuilderVM Image Builder templates should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.VirtualMachineImages/imageTemplatestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.virtualmachineimages/imagetemplates/helloimagetemplateforsig01helloimagetemplateforsig0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0vmimagebuildertemplatesshoulduseprivatelinkmonitoringeffect2154edb9-244f-4741-9970-660785bccdaa/providers/microsoft.authorization/policydefinitions/2154edb9-244f-4741-9970-660785bccdaaazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet.VM Image BuilderVM Image Builder templates should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.VirtualMachineImages/imageTemplatestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.virtualmachineimages/imagetemplates/helloimagetemplateforsig01helloimagetemplateforsig0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0vmimagebuildertemplatesshoulduseprivatelinkmonitoringeffect2154edb9-244f-4741-9970-660785bccdaa/providers/microsoft.authorization/policydefinitions/2154edb9-244f-4741-9970-660785bccdaaazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet.VM Image BuilderVM Image Builder templates should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.VirtualMachineImages/imageTemplatestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.virtualmachineimages/imagetemplates/relionimagetemplateforsig02relionimagetemplateforsig0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0vmimagebuildertemplatesshoulduseprivatelinkmonitoringeffect2154edb9-244f-4741-9970-660785bccdaa/providers/microsoft.authorization/policydefinitions/2154edb9-244f-4741-9970-660785bccdaaazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet.VM Image BuilderVM Image Builder templates should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Batch/batchAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.batch/batchaccounts/jmgbbbatch2eusjmgbbbatch2eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinbatchaccountmonitoring428256e6-1fac-4f48-a757-df34c2b3336d/providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336dazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedBatchResource logs in Batch accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Batch/batchAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.batch/batchaccounts/jmgbbbatch2eusjmgbbbatch2eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinbatchaccountmonitoring428256e6-1fac-4f48-a757-df34c2b3336d/providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336dazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedBatchResource logs in Batch accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.network/virtualnetworks/jm-batch-eus-gbb-rg-vnetjm-batch-eus-gbb-rg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.network/virtualnetworks/jm-batch-eus-gbb-rg-vnetjm-batch-eus-gbb-rg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.network/virtualnetworks/jm-batch-eus-gbb-rg-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.network/virtualnetworks/jm-batch-eus-gbb-rg-vnetjm-batch-eus-gbb-rg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssajmgbbbootdiagssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.VirtualMachineImages/imageTemplatestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.virtualmachineimages/imagetemplates/relionimagetemplateforsig03relionimagetemplateforsig0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0vmimagebuildertemplatesshoulduseprivatelinkmonitoringeffect2154edb9-244f-4741-9970-660785bccdaa/providers/microsoft.authorization/policydefinitions/2154edb9-244f-4741-9970-660785bccdaaazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet.VM Image BuilderVM Image Builder templates should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssajmgbbbootdiagssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssajmgbbbootdiagssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssajmgbbbootdiagssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsajmgbbbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssajmgbbbootdiagssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsajmgbbbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsajmgbbbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssajmgbbbootdiagssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssajmgbbbootdiagssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssajmgbbbootdiagssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsajmgbbbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssajmgbbbootdiagssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsajmgbbbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbootdiagssajmgbbbootdiagssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsajmgbbbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-eus-gbb-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-eus-gbb-rg/providers/microsoft.storage/storageaccounts/jmgbbbatchsajmgbbbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-rg-scusMicrosoft.KeyVault/vaultstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkvdragenkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-rg-scusMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkvdragenkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-rg-scusMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkvdragenkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-rg-scusMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkvdragenkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-rg-scusMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkvdragenkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-rg-scusMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkvdragenkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-rg-scusMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkvdragenkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-rg-scusMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkvdragenkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-rg-scusMicrosoft.KeyVault/vaultstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkvdragenkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-batch-rg-scusMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-batch-rg-scus/providers/microsoft.keyvault/vaults/dragenkvdragenkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Batch/batchAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.batch/batchaccounts/batchaceastusbatchaceastus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinbatchaccountmonitoring428256e6-1fac-4f48-a757-df34c2b3336d/providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336dazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedBatchResource logs in Batch accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Batch/batchAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.batch/batchaccounts/batchaceastusbatchaceastus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinbatchaccountmonitoring428256e6-1fac-4f48-a757-df34c2b3336d/providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336dazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedBatchResource logs in Batch accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.network/virtualnetworks/batchaceastus-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.network/virtualnetworks/batchaceastus-vnetbatchaceastus-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.network/virtualnetworks/batchaceastus-vnetbatchaceastus-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsaeventhpcsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.network/virtualnetworks/batchaceastus-vnetbatchaceastus-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsaeventhpcsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsaeventhpcsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsaeventhpcsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsaeventhpcsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsaeventhpcsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsaeventhpcsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsaeventhpcsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsaeventhpcsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsaeventhpcsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-eventbatch-eus-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-eventbatch-eus-rg/providers/microsoft.storage/storageaccounts/eventhpcsaeventhpcsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.network/virtualnetworks/vm-for-imagevnetvm-for-imagevnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.network/virtualnetworks/vm-for-imagevnetvm-for-imagevnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.network/virtualnetworks/vm-for-imagevnet/subnets/azurebastionsubnetazurebastionsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.network/virtualnetworks/vm-for-imagevnet/subnets/jmcmkadeanfsnjmcmkadeanfsn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.network/virtualnetworks/vm-for-imagevnet/subnets/vm-for-imagesubnetvm-for-imagesubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.network/virtualnetworks/vm-for-imagevnetvm-for-imagevnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm3.0.0702dd420-7fcc-42c5-afe8-4026edd20fe0/providers/microsoft.authorization/policydefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourceGroups/jmgbb-cc-ade-cmk-eustbd18c883224132411a8a33bf42/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.authorization/policyassignments/18c883224132411a8a33bf42Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk.ComputeOS and data disks should be encrypted with a customer-managed key
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesajmcmkadesa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesajmcmkadesa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesajmcmkadesa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesajmcmkadesa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesajmcmkadesa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesajmcmkadesa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesajmcmkadesa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesajmcmkadesa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesajmcmkadesa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesajmcmkadesa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.storage/storageaccounts/jmcmkadesajmcmkadesa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/diskstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/disks/jm-cmkade-cc-vm_osdisk_1_9e89b45cf2d0455abcc2f0a4a27a5d41jm-cmkade-cc-vm_osdisk_1_9e89b45cf2d0455abcc2f0a4a27a5d413.0.0702dd420-7fcc-42c5-afe8-4026edd20fe0/providers/microsoft.authorization/policydefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourceGroups/jmgbb-cc-ade-cmk-eustbd18c883224132411a8a33bf42/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.authorization/policyassignments/18c883224132411a8a33bf42Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk.ComputeOS and data disks should be encrypted with a customer-managed key
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/diskstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/disks/jm-cmkade-cc-vm_lun_0_2_97d5ad262d9c44c1a3c3a2f44b16ee0bjm-cmkade-cc-vm_lun_0_2_97d5ad262d9c44c1a3c3a2f44b16ee0b3.0.0702dd420-7fcc-42c5-afe8-4026edd20fe0/providers/microsoft.authorization/policydefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourceGroups/jmgbb-cc-ade-cmk-eustbd18c883224132411a8a33bf42/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.authorization/policyassignments/18c883224132411a8a33bf42Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk.ComputeOS and data disks should be encrypted with a customer-managed key
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/galleries/images/versionstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/galleries/jmcmeadeacgeus/images/testcmkadeimage/versions/1.0.01.0.03.0.0702dd420-7fcc-42c5-afe8-4026edd20fe0/providers/microsoft.authorization/policydefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourceGroups/jmgbb-cc-ade-cmk-eustbd18c883224132411a8a33bf42/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.authorization/policyassignments/18c883224132411a8a33bf42Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk.ComputeOS and data disks should be encrypted with a customer-managed key
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/galleries/images/versionstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/galleries/jmcmeadeacgeus/images/testcmkadeimage/versions/1.0.11.0.13.0.0702dd420-7fcc-42c5-afe8-4026edd20fe0/providers/microsoft.authorization/policydefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourceGroups/jmgbb-cc-ade-cmk-eustbd18c883224132411a8a33bf42/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.authorization/policyassignments/18c883224132411a8a33bf42Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk.ComputeOS and data disks should be encrypted with a customer-managed key
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-ade-cmk-eusMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.keyvault/vaults/jmcmeadeeuskvjmcmeadeeuskv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2keysexpirationset152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0/providers/microsoft.authorization/policydefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.Key VaultKey Vault keys should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JMGBB-CC-ADE-CMK-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-ade-cmk-eus/providers/microsoft.compute/virtualmachines/jm-cmkade-cc-vmjm-cmkade-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-multiregion-rgMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-eusjm-cc-multiregion-vnet-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-multiregion-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-scus/subnets/cc-compute-scus-sncc-compute-scus-sn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-multiregion-rgMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-scusjm-cc-multiregion-vnet-scus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-multiregion-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-eusjm-cc-multiregion-vnet-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-multiregion-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-eusjm-cc-multiregion-vnet-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-multiregion-rgMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-eusjm-cc-multiregion-vnet-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-multiregion-rgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-eusjm-cc-multiregion-vnet-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-multiregion-rgMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-scusjm-cc-multiregion-vnet-scus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-multiregion-rgMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-scusjm-cc-multiregion-vnet-scus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-cc-multiregion-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cc-multiregion-rg/providers/microsoft.network/virtualnetworks/jm-cc-multiregion-vnet-eus/subnets/cc-compute-eus-sncc-compute-eus-sn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-CycleSvr-rgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiagjmgbbcyclesvrrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-CycleSvr-rgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiagjmgbbcyclesvrrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-CycleSvr-rgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiagjmgbbcyclesvrrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-CycleSvr-rgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiagjmgbbcyclesvrrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-CycleSvr-rgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiagjmgbbcyclesvrrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-CycleSvr-rgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiagjmgbbcyclesvrrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-CycleSvr-rgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiagjmgbbcyclesvrrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-CycleSvr-rgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiagjmgbbcyclesvrrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-CycleSvr-rgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiagjmgbbcyclesvrrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-CycleSvr-rgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiagjmgbbcyclesvrrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-CycleSvr-rgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-cyclesvr-rg/providers/microsoft.storage/storageaccounts/jmgbbcyclesvrrgdiagjmgbbcyclesvrrgdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussajmgbbenergyplussa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussajmgbbenergyplussa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussajmgbbenergyplussa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussajmgbbenergyplussa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussajmgbbenergyplussa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.network/virtualnetworks/eplusvneteplusvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussajmgbbenergyplussa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussajmgbbenergyplussa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.network/virtualnetworks/eplusvneteplusvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.network/virtualnetworks/eplusvnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.network/virtualnetworks/eplusvneteplusvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussajmgbbenergyplussa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussajmgbbenergyplussa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Batch/batchAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.batch/batchaccounts/jmgbbenergyplusbatchjmgbbenergyplusbatch55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinbatchaccountmonitoring428256e6-1fac-4f48-a757-df34c2b3336d/providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336dazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedBatchResource logs in Batch accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussajmgbbenergyplussa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Batch/batchAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.batch/batchaccounts/jmgbbenergyplusbatchjmgbbenergyplusbatch55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinbatchaccountmonitoring428256e6-1fac-4f48-a757-df34c2b3336d/providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336dazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedBatchResource logs in Batch accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.storage/storageaccounts/jmgbbenergyplussajmgbbenergyplussa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-energyplus-batch-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-energyplus-batch-rg/providers/microsoft.keyvault/vaults/jmgbbenergyplusbatchkvjmgbbenergyplusbatchkv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-eus-kvMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-eus-kv/providers/microsoft.keyvault/vaults/jm-gbb-eus-kvjm-gbb-eus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-eventgrid-topicMicrosoft.EventHub/namespacestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-eventgrid-topic/providers/microsoft.eventhub/namespaces/jmgbb-eventhubjmgbb-eventhub55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsineventhubmonitoring83a214f7-d01a-484b-91a9-ed54470c9a6a/providers/microsoft.authorization/policydefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6aazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedEvent HubResource logs in Event Hub should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-eventgrid-topicMicrosoft.EventHub/namespacestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-eventgrid-topic/providers/microsoft.eventhub/namespaces/jmgbb-eventhubjmgbb-eventhub55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsineventhubmonitoring83a214f7-d01a-484b-91a9-ed54470c9a6a/providers/microsoft.authorization/policydefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6aazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedEvent HubResource logs in Event Hub should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-eventgrid-topicMicrosoft.EventGrid/topicstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-eventgrid-topic/providers/microsoft.eventgrid/topics/jm-cycle-eventgridtopicjm-cycle-eventgridtopic55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2azureeventgridtopicsshoulduseprivatelinkmonitoringeffect4b90e17e-8448-49db-875e-bd83fb6f804f/providers/microsoft.authorization/policydefinitions/4b90e17e-8448-49db-875e-bd83fb6f804fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.Event GridAzure Event Grid topics should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-eventgrid-topicMicrosoft.EventGrid/topicstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-eventgrid-topic/providers/microsoft.eventgrid/topics/jm-cycle-eventgridtopicjm-cycle-eventgridtopic55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2azureeventgridtopicsshoulduseprivatelinkmonitoringeffect4b90e17e-8448-49db-875e-bd83fb6f804f/providers/microsoft.authorization/policydefinitions/4b90e17e-8448-49db-875e-bd83fb6f804fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.Event GridAzure Event Grid topics should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504jmgbbmlworkspa074061450455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504jmgbbmlworkspa074061450455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504jmgbbmlworkspa074061450455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504jmgbbmlworkspa074061450455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504jmgbbmlworkspa074061450455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504jmgbbmlworkspa074061450455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504jmgbbmlworkspa074061450455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504jmgbbmlworkspa074061450455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504jmgbbmlworkspa074061450455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504jmgbbmlworkspa074061450455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.MachineLearningServices/workspacestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.machinelearningservices/workspaces/jmgbb-mlworkspace-eus-mljmgbb-mlworkspace-eus-ml55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.MachineLearningServices/workspacestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.machinelearningservices/workspaces/jmgbb-mlworkspace-eus-mljmgbb-mlworkspace-eus-ml55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-mlworkspace-eus-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-mlworkspace-eus-rg/providers/microsoft.storage/storageaccounts/jmgbbmlworkspa0740614504jmgbbmlworkspa074061450455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubsscaneastuslsucubs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubsscaneastuslsucubs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubsscaneastuslsucubs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubsscaneastuslsucubs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubsscaneastuslsucubs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubsscaneastuslsucubs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubsscaneastuslsucubs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubsscaneastuslsucubs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubsscaneastuslsucubs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubsscaneastuslsucubs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.EventHub/namespacestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.eventhub/namespaces/atlas-a6bcfe6a-1425-4cb8-86d7-304512290217atlas-a6bcfe6a-1425-4cb8-86d7-30451229021755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsineventhubmonitoring83a214f7-d01a-484b-91a9-ed54470c9a6a/providers/microsoft.authorization/policydefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6aazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedEvent HubResource logs in Event Hub should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.EventHub/namespacestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.eventhub/namespaces/atlas-a6bcfe6a-1425-4cb8-86d7-304512290217atlas-a6bcfe6a-1425-4cb8-86d7-30451229021755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsineventhubmonitoring83a214f7-d01a-484b-91a9-ed54470c9a6a/providers/microsoft.authorization/policydefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6aazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedEvent HubResource logs in Event Hub should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-purview-eus-managed-rgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-purview-eus-managed-rg/providers/microsoft.storage/storageaccounts/scaneastuslsucubsscaneastuslsucubs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kvjm-gbb-scus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kvjm-gbb-scus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kvjm-gbb-scus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kvjm-gbb-scus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kvjm-gbb-scus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.KeyVault/vaultstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kvjm-gbb-scus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kvjm-gbb-scus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kvjm-gbb-scus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.network/virtualnetworks/jm-gbb-services-rg-vnetjm-gbb-services-rg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.KeyVault/vaultstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kvjm-gbb-scus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.network/virtualnetworks/jm-gbb-services-rg-vnetjm-gbb-services-rg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.network/virtualnetworks/jm-gbb-services-rg-vnetjm-gbb-services-rg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.keyvault/vaults/jm-gbb-scus-kvjm-gbb-scus-kv55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.network/virtualnetworks/jm-gbb-services-rg-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622JM-GBB-SERVICES-RGMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcatjm-gbb-cc-ucla-tomcat55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-gbb-services-rgMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-gbb-services-rg/providers/microsoft.compute/virtualmachines/jm-gbb-cc-ucla-tomcat/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sajmgbbus2sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2jmgbbxnfssawus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sajmgbbus2sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sajmgbbus2sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sajmgbbus2sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sajmgbbus2sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sajmgbbus2sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnetjmgbb-wus2-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sajmgbbus2sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnetjmgbb-wus2-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnet/subnets/jmgbb-anf-snjmgbb-anf-sn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnet/subnets/computecompute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnetjmgbb-wus2-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnetjmgbb-wus2-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sajmgbbus2sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sajmgbbus2sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sajmgbbus2sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbus2sajmgbbus2sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.network/virtualnetworks/jmgbb-wus2-vnetjmgbb-wus2-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2jmgbbxnfssawus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2jmgbbxnfssawus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2jmgbbxnfssawus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2jmgbbxnfssawus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2jmgbbxnfssawus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2jmgbbxnfssawus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2jmgbbxnfssawus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2jmgbbxnfssawus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2jmgbbxnfssawus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.storage/storageaccounts/jmgbbxnfssawus2jmgbbxnfssawus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmgbb-wus2-rgMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmgbb-wus2-rg/providers/microsoft.compute/virtualmachines/jmgbb-lsf-master-vmjmgbb-lsf-master-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-EUS-RGMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-eus-rgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-eus-rg/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-LUSTREFS-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-lustrefs-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-lustrefs-rg-eus/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstoragejmgpstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstoragejmgpstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsajmnfsblobsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstoragejmgpstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstoragejmgpstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstoragejmgpstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsajmnfsblobsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstoragejmgpstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstoragejmgpstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstoragejmgpstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsajmnfsblobsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsajmnfsblobsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsajmnfsblobsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsajmnfsblobsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstoragejmgpstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsajmnfsblobsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeusjmgbbxnfsblobeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeusjmgbbxnfsblobeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeusjmgbbxnfsblobeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeusjmgbbxnfsblobeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsajmnfsblobsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeusjmslurmacctdbeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect0ec47710-77ff-4a3d-9181-6aa50af424d0/providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.SQLGeo-redundant backup should be enabled for Azure Database for MariaDB
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeusjmgbbxnfsblobeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnetjmnfsvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworkstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsrg-vnetjmnfsrg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstoragejmgpstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessajmnfsfilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsajmnfsblobsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessajmnfsfilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeusjmslurmacctdbeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2privateendpointshouldbeenabledformariadbserversmonitoringeffect0a1302fb-a631-4106-9753-f3d494733990/providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.SQLPrivate endpoint should be enabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeusjmslurmacctdbeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2privateendpointshouldbeenabledformariadbserversmonitoringeffect0a1302fb-a631-4106-9753-f3d494733990/providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.SQLPrivate endpoint should be enabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeusjmslurmacctdbeus1.0.1e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46esecurity center1.0.1deployadvancedthreatprotectiononazuredatabaseformariadbservera6cf7411-da9e-49e2-aec0-cba0250eaf8c/providers/microsoft.authorization/policydefinitions/a6cf7411-da9e-49e2-aec0-cba0250eaf8ctbddeployifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdOpenSourceRelationalDatabasesProtectionSecurityCenter/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/opensourcerelationaldatabasesprotectionsecuritycenterEnable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.SQLConfigure Advanced Threat Protection to be enabled on Azure database for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmgbbmariadbeusjmgbbmariadbeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2privateendpointshouldbeenabledformariadbserversmonitoringeffect0a1302fb-a631-4106-9753-f3d494733990/providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.SQLPrivate endpoint should be enabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeusjmslurmacctdbeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffectfdccbe47-f3e3-4213-ad5d-ea459b2fa077/providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDisable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.SQLPublic network access should be disabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeusjmslurmacctdbeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffectfdccbe47-f3e3-4213-ad5d-ea459b2fa077/providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDisable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.SQLPublic network access should be disabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmslurmacctdbeusjmslurmacctdbeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect0ec47710-77ff-4a3d-9181-6aa50af424d0/providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.SQLGeo-redundant backup should be enabled for Azure Database for MariaDB
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmgbbmariadbeusjmgbbmariadbeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2privateendpointshouldbeenabledformariadbserversmonitoringeffect0a1302fb-a631-4106-9753-f3d494733990/providers/microsoft.authorization/policydefinitions/0a1302fb-a631-4106-9753-f3d494733990azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.SQLPrivate endpoint should be enabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmgbbmariadbeusjmgbbmariadbeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffectfdccbe47-f3e3-4213-ad5d-ea459b2fa077/providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDisable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.SQLPublic network access should be disabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmgbbmariadbeusjmgbbmariadbeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect0ec47710-77ff-4a3d-9181-6aa50af424d0/providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.SQLGeo-redundant backup should be enabled for Azure Database for MariaDB
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmgbbmariadbeusjmgbbmariadbeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0publicnetworkaccessshouldbedisabledformariadbserversmonitoringeffectfdccbe47-f3e3-4213-ad5d-ea459b2fa077/providers/microsoft.authorization/policydefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDisable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.SQLPublic network access should be disabled for MariaDB servers
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.DBforMariaDB/serverstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.dbformariadb/servers/jmgbbmariadbeusjmgbbmariadbeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1georedundantbackupshouldbeenabledforazuredatabaseformariadbmonitoringeffect0ec47710-77ff-4a3d-9181-6aa50af424d0/providers/microsoft.authorization/policydefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.SQLGeo-redundant backup should be enabled for Azure Database for MariaDB
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsrg-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsajmnfsblobsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet/subnets/jm-gbb-anf-eus-snjm-gbb-anf-eus-sn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet/subnets/jmnfssnjmnfssn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsblobsajmnfsblobsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeusjmgbbxnfsblobeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgpstoragejmgpstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessajmnfsfilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessajmnfsfilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessajmnfsfilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessajmnfsfilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessajmnfsfilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessajmnfsfilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessajmnfsfilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessajmnfsfilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmnfsfilessajmnfsfilessa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworkstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsrg-vnetjmnfsrg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnetjmnfsvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnetjmnfsvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworkstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsrg-vnetjmnfsrg-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnetjmnfsvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnetjmnfsvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet/subnets/jm-vfxt-snjm-vfxt-sn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.network/virtualnetworks/jmnfsvnet/subnets/jm-gbb-batch-eus-snjm-gbb-batch-eus-sn55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeusjmgbbxnfsblobeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeusjmgbbxnfsblobeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeusjmgbbxnfsblobeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeusjmgbbxnfsblobeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmNfsRgMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.storage/storageaccounts/jmgbbxnfsblobeusjmgbbxnfsblobeus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/slurm-image-vmslurm-image-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jmnfsrgMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jmnfsrg/providers/microsoft.compute/virtualmachines/jm-centos79-vmjm-centos79-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsajmnftowermhsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsajmnftowermhsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsajmnftowermhsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsajmnftowermhsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsajmnftowermhsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsajmnftowermhsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsajmnftowermhsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsajmnftowermhsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsajmnftowermhsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsajmnftowermhsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Batch/batchAccountstbdeastus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.batch/batchaccounts/jmnftowermhjmnftowermh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinbatchaccountmonitoring428256e6-1fac-4f48-a757-df34c2b3336d/providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336dazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedBatchResource logs in Batch accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Batch/batchAccountstbdeastus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.batch/batchaccounts/jmnftowermhjmnftowermh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinbatchaccountmonitoring428256e6-1fac-4f48-a757-df34c2b3336d/providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336dazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedBatchResource logs in Batch accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-nftower-microhack-rgMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-nftower-microhack-rg/providers/microsoft.storage/storageaccounts/jmnftowermhsajmnftowermhsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresajmcyclepuresa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresajmcyclepuresa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresajmcyclepuresa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresajmcyclepuresa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresajmcyclepuresa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssajmpureblobnfssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-pure-dragen-rg-scusMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-pure-dragen-rg-scusMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresajmcyclepuresa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-pure-dragen-rg-scusMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scusjm-pure-dragen-vnet-scus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-pure-dragen-rg-scusMicrosoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scusjm-pure-dragen-vnet-scus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresajmcyclepuresa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresajmcyclepuresa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssajmpureblobnfssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssajmpureblobnfssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssajmpureblobnfssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssajmpureblobnfssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssajmpureblobnfssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssajmpureblobnfssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssajmpureblobnfssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssajmpureblobnfssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssajmpureblobnfssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresajmcyclepuresa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresajmcyclepuresa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-pure-dragen-rg-scusMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scusjm-pure-dragen-vnet-scus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-pure-dragen-rg-scusMicrosoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scusjm-pure-dragen-vnet-scus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622jm-pure-dragen-rg-scusMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scus/subnets/gatewaysubnetgatewaysubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-pure-dragen-rg-scusMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scus/subnets/computecompute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-pure-dragen-rg-scusMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scus/subnets/jm-dragen-anfjm-dragen-anf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-pure-dragen-rg-scusMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.network/virtualnetworks/jm-pure-dragen-vnet-scusjm-pure-dragen-vnet-scus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmcyclepuresajmcyclepuresa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-Pure-DRAGEN-rg-scusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.storage/storageaccounts/jmpureblobnfssajmpureblobnfssa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-PURE-DRAGEN-RG-SCUSMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-pure-dragen-rg-scus/providers/microsoft.compute/virtualmachines/jm-pure-cc-vmjm-pure-cc-vm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugrMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgphlogin-dx543m3hpjgph55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgphlogin-dx543m3hpjgph55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfuxscheduler-ha-pmldpwdpfvfux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfuxscheduler-ha-pmldpwdpfvfux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfuxscheduler-ha-pmldpwdpfvfux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgphlogin-dx543m3hpjgph55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfuxscheduler-ha-pmldpwdpfvfux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfuxscheduler-ha-pmldpwdpfvfux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfuxscheduler-ha-pmldpwdpfvfux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfuxscheduler-ha-pmldpwdpfvfux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfuxscheduler-ha-pmldpwdpfvfux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfuxscheduler-ha-pmldpwdpfvfux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfuxscheduler-ha-pmldpwdpfvfux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfuxscheduler-ha-pmldpwdpfvfux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgphlogin-dx543m3hpjgph55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgphlogin-dx543m3hpjgph55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgphlogin-dx543m3hpjgph55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgphlogin-dx543m3hpjgph55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgphlogin-dx543m3hpjgph55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgphlogin-dx543m3hpjgph55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgphlogin-dx543m3hpjgph55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgphlogin-dx543m3hpjgph55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/scheduler-ha-pmldpwdpfvfuxscheduler-ha-pmldpwdpfvfux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachinescalesets/login-dx543m3hpjgphlogin-dx543m3hpjgph55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugrMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumj/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-slurm-dhts-upgrade-GBQWKZDDGE2DILJQGBSTALJUGRMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-slurm-dhts-upgrade-gbqwkzddge2diljqgbstaljugr/providers/microsoft.compute/virtualmachines/scheduler-gyygkmzvgjrtgllegizweljumjscheduler-gyygkmzvgjrtgllegizweljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eus/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstoragejmfcccstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstoragejmfcccstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstoragejmfcccstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstoragejmfcccstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstoragejmfcccstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstoragejmfcccstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstoragejmfcccstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstoragejmfcccstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstoragejmfcccstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstoragejmfcccstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.storage/storageaccounts/jmfcccstoragejmfcccstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhf/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-temple-fccc-rg-eusMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/scheduler-gfsdcoddmvrtoljygazgiljuhfscheduler-gfsdcoddmvrtoljygazgiljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622JM-TEMPLE-FCCC-RG-EUSMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-temple-fccc-rg-eus/providers/microsoft.compute/virtualmachines/jm-fccc-cc-eusjm-fccc-cc-eus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugi/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachinescalesets/f2-iqgcslkkwzclnf2-iqgcslkkwzcln55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622jm-UCLA-3cloud-G43DGNJRGEZDMLJSME2DMLJUGYMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-ucla-3cloud-g43dgnjrgezdmljsme2dmljugy/providers/microsoft.compute/virtualmachines/scheduler-mjrdky3dgq3taljvheztoljugischeduler-mjrdky3dgq3taljvheztoljugi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622jm-vnet-peering-rg-eusMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-2/subnets/mysubnetmysubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-vnet-peering-rg-eusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-1vnet-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-vnet-peering-rg-eusMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-1/subnets/mysubnetmysubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622jm-vnet-peering-rg-eusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-2vnet-255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-vnet-peering-rg-eusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-1vnet-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-vnet-peering-rg-eusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-1vnet-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-vnet-peering-rg-eusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-2vnet-255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622jm-vnet-peering-rg-eusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/jm-vnet-peering-rg-eus/providers/microsoft.network/virtualnetworks/vnet-2vnet-255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622KA-BatchMicrosoft.Batch/batchAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ka-batch/providers/microsoft.batch/batchaccounts/batchmovebatchmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinbatchaccountmonitoring428256e6-1fac-4f48-a757-df34c2b3336d/providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336dazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedBatchResource logs in Batch accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622KA-BatchMicrosoft.Batch/batchAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ka-batch/providers/microsoft.batch/batchaccounts/batchmovebatchmove55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinbatchaccountmonitoring428256e6-1fac-4f48-a757-df34c2b3336d/providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336dazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedBatchResource logs in Batch accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmcc8testsaMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsajmcc8testsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmcc8testsaMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsajmcc8testsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmcc8testsaMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsajmcc8testsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmcc8testsaMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsajmcc8testsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmcc8testsaMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsajmcc8testsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmcc8testsaMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsajmcc8testsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmcc8testsaMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsajmcc8testsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmcc8testsaMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsajmcc8testsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmcc8testsaMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsajmcc8testsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmcc8testsaMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsajmcc8testsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmcc8testsaMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmcc8testsa/providers/microsoft.storage/storageaccounts/jmcc8testsajmcc8testsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmgbbmh21saMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sajmgbbmh21sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmgbbmh21saMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sajmgbbmh21sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmgbbmh21saMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sajmgbbmh21sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmgbbmh21saMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sajmgbbmh21sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmgbbmh21saMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sajmgbbmh21sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmgbbmh21saMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sajmgbbmh21sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmgbbmh21saMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sajmgbbmh21sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmgbbmh21saMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sajmgbbmh21sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmgbbmh21saMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sajmgbbmh21sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmgbbmh21saMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sajmgbbmh21sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmgbbmh21saMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmgbbmh21sa/providers/microsoft.storage/storageaccounts/jmgbbmh21sajmgbbmh21sa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmstoragescusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescusjmstoragescus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmstoragescusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescusjmstoragescus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmstoragescusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescusjmstoragescus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmstoragescusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescusjmstoragescus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmstoragescusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescusjmstoragescus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmstoragescusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescusjmstoragescus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmstoragescusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescusjmstoragescus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmstoragescusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescusjmstoragescus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmstoragescusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescusjmstoragescus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmstoragescusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescusjmstoragescus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmstoragescusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmstoragescus/providers/microsoft.storage/storageaccounts/jmstoragescusjmstoragescus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmuclatomcatsaMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsajmuclatomcatsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmuclatomcatsaMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsajmuclatomcatsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmuclatomcatsaMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsajmuclatomcatsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmuclatomcatsaMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsajmuclatomcatsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmuclatomcatsaMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsajmuclatomcatsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmuclatomcatsaMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsajmuclatomcatsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmuclatomcatsaMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsajmuclatomcatsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmuclatomcatsaMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsajmuclatomcatsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmuclatomcatsaMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsajmuclatomcatsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmuclatomcatsaMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsajmuclatomcatsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-jmuclatomcatsaMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-jmuclatomcatsa/providers/microsoft.storage/storageaccounts/jmuclatomcatsajmuclatomcatsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-requapurestoragewestusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestusrequapurestoragewestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-requapurestoragewestusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestusrequapurestoragewestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-requapurestoragewestusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestusrequapurestoragewestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-requapurestoragewestusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestusrequapurestoragewestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-requapurestoragewestusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestusrequapurestoragewestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-requapurestoragewestusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestusrequapurestoragewestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-requapurestoragewestusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestusrequapurestoragewestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-requapurestoragewestusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestusrequapurestoragewestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-requapurestoragewestusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestusrequapurestoragewestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-requapurestoragewestusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestusrequapurestoragewestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Locker-requapurestoragewestusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/locker-requapurestoragewestus/providers/microsoft.storage/storageaccounts/requapurestoragewestusrequapurestoragewestus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.network/virtualnetworks/aks-vnet-14699579aks-vnet-1469957955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622mc_jm-aks-rg_jmakscluster_eastusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9fuse7876be4ce5e14ea3be955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.network/virtualnetworks/aks-vnet-14699579aks-vnet-1469957955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622mc_jm-aks-rg_jmakscluster_eastusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9fuse7876be4ce5e14ea3be955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.network/virtualnetworks/aks-vnet-14699579aks-vnet-1469957955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622mc_jm-aks-rg_jmakscluster_eastusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9fuse7876be4ce5e14ea3be955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmssaks-nodepool1-14699579-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmssaks-nodepool1-14699579-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622mc_jm-aks-rg_jmakscluster_eastusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9fuse7876be4ce5e14ea3be955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622mc_jm-aks-rg_jmakscluster_eastusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9fuse7876be4ce5e14ea3be955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmssaks-nodepool1-14699579-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.network/virtualnetworks/aks-vnet-14699579/subnets/aks-subnetaks-subnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622mc_jm-aks-rg_jmakscluster_eastusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9fuse7876be4ce5e14ea3be955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622mc_jm-aks-rg_jmakscluster_eastusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9fuse7876be4ce5e14ea3be955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622mc_jm-aks-rg_jmakscluster_eastusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9fuse7876be4ce5e14ea3be955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmssaks-nodepool1-14699579-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmssaks-nodepool1-14699579-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622mc_jm-aks-rg_jmakscluster_eastusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9fuse7876be4ce5e14ea3be955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmssaks-nodepool1-14699579-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmssaks-nodepool1-14699579-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmssaks-nodepool1-14699579-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmssaks-nodepool1-14699579-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmssaks-nodepool1-14699579-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmssaks-nodepool1-14699579-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622mc_jm-aks-rg_jmakscluster_eastusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9fuse7876be4ce5e14ea3be955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622mc_jm-aks-rg_jmakscluster_eastusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.storage/storageaccounts/fuse7876be4ce5e14ea3be9fuse7876be4ce5e14ea3be955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622MC_jm-aks-rg_jmAKSCluster_eastusMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/mc_jm-aks-rg_jmakscluster_eastus/providers/microsoft.compute/virtualmachinescalesets/aks-nodepool1-14699579-vmssaks-nodepool1-14699579-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-test/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvosingleazcvosingle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/rhel7-9-jumphostrhel7-9-jumphost1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/cvo-vm-testcvo-vm-test55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9rbfo5hnufuiola9r55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21ezphyxrsztuak2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21ezphyxrsztuak2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21ezphyxrsztuak2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21ezphyxrsztuak2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21ezphyxrsztuak2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21ezphyxrsztuak2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21ezphyxrsztuak2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21ezphyxrsztuak2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21ezphyxrsztuak2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp32chvhfcekz7wdp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9rbfo5hnufuiola9r55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse4rdjayuqsobbyse55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etmd0vulmraehl8etm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etmd0vulmraehl8etm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etmd0vulmraehl8etm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etmd0vulmraehl8etm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etmd0vulmraehl8etm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etmd0vulmraehl8etm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse4rdjayuqsobbyse55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etmd0vulmraehl8etm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiagnnetappcvodiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiagnnetappcvodiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxtql9a0siq6yvhhxt55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiagnnetappcvodiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiagnnetappcvodiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiagnnetappcvodiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiagnnetappcvodiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiagnnetappcvodiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiagnnetappcvodiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etmd0vulmraehl8etm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etmd0vulmraehl8etm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp32chvhfcekz7wdp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp32chvhfcekz7wdp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp32chvhfcekz7wdp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp32chvhfcekz7wdp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp32chvhfcekz7wdp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp32chvhfcekz7wdp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp32chvhfcekz7wdp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp32chvhfcekz7wdp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp32chvhfcekz7wdp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon021.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/32chvhfcekz7wdp32chvhfcekz7wdp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse4rdjayuqsobbyse55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse4rdjayuqsobbyse55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse4rdjayuqsobbyse55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9rbfo5hnufuiola9r55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9rbfo5hnufuiola9r55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9rbfo5hnufuiola9r55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9rbfo5hnufuiola9r55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9rbfo5hnufuiola9r55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9rbfo5hnufuiola9r55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9rbfo5hnufuiola9r55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxtql9a0siq6yvhhxt55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9rbfo5hnufuiola9r55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse4rdjayuqsobbyse55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse4rdjayuqsobbyse55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse4rdjayuqsobbyse55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse4rdjayuqsobbyse55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse4rdjayuqsobbyse55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/4rdjayuqsobbyse4rdjayuqsobbyse55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/bfo5hnufuiola9rbfo5hnufuiola9r55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxtql9a0siq6yvhhxt55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxtql9a0siq6yvhhxt55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uazyxv9pnwrsse4uaz55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uazyxv9pnwrsse4uaz55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uazyxv9pnwrsse4uaz55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmssazure-cvo-rhel-7-9-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmssazure-cvo-rhel-7-9-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmssazure-cvo-rhel-7-9-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmssazure-cvo-rhel-7-9-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uazyxv9pnwrsse4uaz55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uazyxv9pnwrsse4uaz55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uazyxv9pnwrsse4uaz55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uazyxv9pnwrsse4uaz55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon021.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon021.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uazyxv9pnwrsse4uaz55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gimrootsavugz4gim55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5iiwqf1xfablntb5ii55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5iiwqf1xfablntb5ii55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uazyxv9pnwrsse4uaz55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdfsvfoswiwuwgxmdf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gimrootsavugz4gim55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdfsvfoswiwuwgxmdf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxtql9a0siq6yvhhxt55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uazyxv9pnwrsse4uaz55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/yxv9pnwrsse4uazyxv9pnwrsse4uaz55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmssazure-cvo-rhel-7-9-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmssazure-cvo-rhel-7-9-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmssazure-cvo-rhel-7-9-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdfsvfoswiwuwgxmdf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdfsvfoswiwuwgxmdf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gimrootsavugz4gim55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdfsvfoswiwuwgxmdf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gimrootsavugz4gim55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdfsvfoswiwuwgxmdf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gimrootsavugz4gim55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdfsvfoswiwuwgxmdf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gimrootsavugz4gim55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdfsvfoswiwuwgxmdf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gimrootsavugz4gim55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21ezphyxrsztuak2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiagnnetappcvodiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etmd0vulmraehl8etm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/d0vulmraehl8etmd0vulmraehl8etm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxtql9a0siq6yvhhxt55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxtql9a0siq6yvhhxt55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxtql9a0siq6yvhhxt55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxtql9a0siq6yvhhxt55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gimrootsavugz4gim55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gimrootsavugz4gim55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdfsvfoswiwuwgxmdf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gimrootsavugz4gim55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmssazure-cvo-rhel-7-9-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmssazure-cvo-rhel-7-9-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachineScaleSetstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmssazure-cvo-rhel-7-9-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmssazure-cvo-rhel-7-9-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5iiwqf1xfablntb5ii55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5iiwqf1xfablntb5ii55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5iiwqf1xfablntb5ii55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5iiwqf1xfablntb5ii55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5iiwqf1xfablntb5ii55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxtql9a0siq6yvhhxt55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5iiwqf1xfablntb5ii55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5iiwqf1xfablntb5ii55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachineScaleSetstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachinescalesets/azure-cvo-rhel-7-9-vmssazure-cvo-rhel-7-9-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5iiwqf1xfablntb5ii55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ql9a0siq6yvhhxtql9a0siq6yvhhxt55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiagnnetappcvodiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/ezphyxrsztuak21ezphyxrsztuak2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdfsvfoswiwuwgxmdf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/svfoswiwuwgxmdfsvfoswiwuwgxmdf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/rootsavugz4gimrootsavugz4gim55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/wqf1xfablntb5iiwqf1xfablntb5ii55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.storage/storageaccounts/nnetappcvodiagnnetappcvodiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphost/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm21.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm2azcvohaclus-vm255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azure-cvo-jumphostazure-cvo-jumphost55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet/subnets/cvocvo55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet/subnets/computecompute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnetcvo-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnet/subnets/azurebastionsubnetazurebastionsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnetcvo-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnetcvo-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnetcvo-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nnetapp_cvoMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.network/virtualnetworks/cvo-vnetcvo-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvo-cloudcon02azcvo-cloudcon0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622nNetapp_CVOMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/nnetapp_cvo/providers/microsoft.compute/virtualmachines/azcvohaclus-vm1azcvohaclus-vm155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrcpinkyandthebrainsrc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransferpinkyandthebraintransfer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachines/extensionstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransferpinkyandthebraintransfer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachines/extensionstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachines/extensionstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachines/extensionstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiagpinkyandthebraindiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiagpinkyandthebraindiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiagpinkyandthebraindiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiagpinkyandthebraindiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiagpinkyandthebraindiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiagpinkyandthebraindiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrcpinkyandthebrainsrc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrcpinkyandthebrainsrc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrcpinkyandthebrainsrc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrcpinkyandthebrainsrc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrcpinkyandthebrainsrc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransferpinkyandthebraintransfer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrcpinkyandthebrainsrc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrcpinkyandthebrainsrc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransferpinkyandthebraintransfer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrcpinkyandthebrainsrc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransferpinkyandthebraintransfer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransferpinkyandthebraintransfer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransferpinkyandthebraintransfer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiagpinkyandthebraindiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransferpinkyandthebraintransfer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiagpinkyandthebraindiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnetpandb-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.KeyVault/vaultstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01pinkykeyvault0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.KeyVault/vaultstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01pinkykeyvault0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Network/virtualNetworkstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnetpandb-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Network/virtualNetworkstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnetpandb-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnet/subnets/azurebastionsubnetazurebastionsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnet/subnets/sn-computesn-compute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnetpandb-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.KeyVault/vaultstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01pinkykeyvault0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.KeyVault/vaultstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01pinkykeyvault0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.KeyVault/vaultstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01pinkykeyvault0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.KeyVault/vaultstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01pinkykeyvault0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.KeyVault/vaultstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01pinkykeyvault0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.KeyVault/vaultstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01pinkykeyvault0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.KeyVault/vaultstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01pinkykeyvault0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.KeyVault/vaultstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.keyvault/vaults/pinkykeyvault01pinkykeyvault0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Network/virtualNetworkstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.network/virtualnetworks/pandb-vnetpandb-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiagpinkyandthebraindiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransferpinkyandthebraintransfer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrcpinkyandthebrainsrc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransferpinkyandthebraintransfer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraintransferpinkyandthebraintransfer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebrainsrcpinkyandthebrainsrc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-license01pb-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiagpinkyandthebraindiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Storage/storageAccountstbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.storage/storageaccounts/pinkyandthebraindiagpinkyandthebraindiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622pinkyandthebrainMicrosoft.Compute/virtualMachinestbdwestus3TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pinkyandthebrain/providers/microsoft.compute/virtualmachines/pb-spillbox01pb-spillbox0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacctpurenfsblobacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898purediag89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pureMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnetpure-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898purediag89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898purediag89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898purediag89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898purediag89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898purediag89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898purediag89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898purediag89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898purediag89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622pureMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnetpure-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pureMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnetpure-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898purediag89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purediag898purediag89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacctpurenfsblobacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacctpurenfsblobacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacctpurenfsblobacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacctpurenfsblobacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacctpurenfsblobacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacctpurenfsblobacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622pureMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet/subnets/azpranfsubazpranfsub55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622pureMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet/subnets/azurebastionsubnetazurebastionsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622pureMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622pureMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet/subnets/gatewaysubnetgatewaysubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacctpurenfsblobacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622pureMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.network/virtualnetworks/pure-vnet/subnets/sn-storagesn-storage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacctpurenfsblobacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacctpurenfsblobacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622PureMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/pure/providers/microsoft.storage/storageaccounts/purenfsblobacctpurenfsblobacct55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestorerazafscyclestore55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestorerazafscyclestore55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestorerazafscyclestore55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljuga/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestorerazafscyclestore55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiagrazazafspoceastdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiagrazazafspoceastdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestorerazafscyclestore55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestorerazafscyclestore55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestorerazafscyclestore55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestorerazafscyclestore55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestorerazafscyclestore55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestorerazafscyclestore55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiagrazazafspoceastdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razafscyclestorerazafscyclestore55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiagrazazafspoceastdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiagrazazafspoceastdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiagrazazafspoceastdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiagrazazafspoceastdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiagrazazafspoceastdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiagrazazafspoceastdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiagrazazafspoceastdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.storage/storageaccounts/razazafspoceastdiagrazazafspoceastdiag55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnetafs-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet/subnets/sn-computesn-compute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet/subnets/sn-anfsn-anf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnet/subnets/azurebastionsubnetazurebastionsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnetafs-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnetafs-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnetafs-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.network/virtualnetworks/afs-vnetafs-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud821.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud821.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/razaz-winjump01razaz-winjump0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/scheduler-ga3dcobyg4ydkllfmq4dmljugascheduler-ga3dcobyg4ydkllfmq4dmljuga55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-afs-poc-eastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-afslic01raz-afslic0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud821.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622razaz-AFS-POC-EastMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/razaz-afs-poc-east/providers/microsoft.compute/virtualmachines/raz-cyclecloud82raz-cyclecloud8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3sacyclecloudlab355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3sacyclecloudlab355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3sacyclecloudlab355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3sacyclecloudlab355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3sacyclecloudlab355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralusvnet-hpc-southcentralus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralusvnet-hpc-southcentralus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/useruser55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/visualizationvisualization55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/hpc-cachehpc-cache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/frontendfrontend55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/cyclecloudcyclecloud55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3sacyclecloudlab355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralusvnet-hpc-southcentralus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/anfanf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralusvnet-hpc-southcentralus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralusvnet-hpc-southcentralus55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3sacyclecloudlab355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3sacyclecloudlab355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3sacyclecloudlab355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3sacyclecloudlab355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.storage/storageaccounts/sacyclecloudlab3sacyclecloudlab355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.network/virtualnetworks/vnet-hpc-southcentralus/subnets/computecompute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud31.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugm/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud31.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud31.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-11.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622RG-MARCUSGA-HPC1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3vm-cyclecloud355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-cyclecloud3/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/server-muztmmlfg5stqllcmi4taljugmserver-muztmmlfg5stqllcmi4taljugm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622rg-marcusga-hpc1Microsoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/rg-marcusga-hpc1/providers/microsoft.compute/virtualmachines/vm-hbv2-imageprep-1vm-hbv2-imageprep-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622Site-Recovery-vault-eastusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcachejlnfajsiterecovasrcache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Site-Recovery-vault-eastusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcachejlnfajsiterecovasrcache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Site-Recovery-vault-eastusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcachejlnfajsiterecovasrcache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Site-Recovery-vault-eastusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcachejlnfajsiterecovasrcache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622Site-Recovery-vault-eastusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcachejlnfajsiterecovasrcache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Site-Recovery-vault-eastusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcachejlnfajsiterecovasrcache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622Site-Recovery-vault-eastusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcachejlnfajsiterecovasrcache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622Site-Recovery-vault-eastusMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcachejlnfajsiterecovasrcache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622Site-Recovery-vault-eastusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcachejlnfajsiterecovasrcache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622Site-Recovery-vault-eastusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcachejlnfajsiterecovasrcache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622Site-Recovery-vault-eastusMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/site-recovery-vault-eastus/providers/microsoft.storage/storageaccounts/jlnfajsiterecovasrcachejlnfajsiterecovasrcache55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622SNPS-StorageTestMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsasnpssftpsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SNPS-StorageTestMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsasnpssftpsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SNPS-StorageTestMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsasnpssftpsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SNPS-StorageTestMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsasnpssftpsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SNPS-StorageTestMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsasnpssftpsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622SNPS-StorageTestMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsasnpssftpsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SNPS-StorageTestMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsasnpssftpsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SNPS-StorageTestMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsasnpssftpsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SNPS-StorageTestMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsasnpssftpsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SNPS-StorageTestMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsasnpssftpsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622SNPS-StorageTestMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/snps-storagetest/providers/microsoft.storage/storageaccounts/snpssftpsasnpssftpsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsasrnggmbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsasrnggmbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsasrnggmbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsasrnggmbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsasrnggmbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsasrnggmbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsasrnggmbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsasrnggmbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnetbatchfunctionvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnet/subnets/batchnodesbatchnodes55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnetbatchfunctionvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Batch/batchAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.batch/batchaccounts/nggmdemonggmdemo55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinbatchaccountmonitoring428256e6-1fac-4f48-a757-df34c2b3336d/providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336dazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedBatchResource logs in Batch accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnetbatchfunctionvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnetbatchfunctionvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsasrnggmbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsasrnggmbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Batch/batchAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.batch/batchaccounts/nggmdemonggmdemo55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinbatchaccountmonitoring428256e6-1fac-4f48-a757-df34c2b3336d/providers/microsoft.authorization/policydefinitions/428256e6-1fac-4f48-a757-df34c2b3336dazure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromisedBatchResource logs in Batch accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.storage/storageaccounts/srnggmbatchsasrnggmbatchsa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622sr-batchfunctionMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/sr-batchfunction/providers/microsoft.network/virtualnetworks/batchfunctionvnetbatchfunctionvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622srwestus2Microsoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/srwestus2/providers/microsoft.network/virtualnetworks/srwestus2vnetsrwestus2vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622StellantisRFQMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscyclestellantiscycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622StellantisRFQMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscyclestellantiscycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622StellantisRFQMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscyclestellantiscycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622StellantisRFQMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscyclestellantiscycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622stellantisrfqMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnetstellantisrfq-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622stellantisrfqMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnetstellantisrfq-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622stellantisrfqMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnetstellantisrfq-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622StellantisRFQMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscyclestellantiscycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622stellantisrfqMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622StellantisRFQMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscyclestellantiscycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622StellantisRFQMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscyclestellantiscycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622StellantisRFQMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscyclestellantiscycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622StellantisRFQMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscyclestellantiscycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622StellantisRFQMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscyclestellantiscycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622stellantisrfqMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnet/subnets/netappnetapp55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622StellantisRFQMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.storage/storageaccounts/stellantiscyclestellantiscycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622stellantisrfqMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnetstellantisrfq-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622stellantisrfqMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stellantisrfq/providers/microsoft.network/virtualnetworks/stellantisrfq-vnetstellantisrfq-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-821.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-821.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-821.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblobcmaqblob55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblobcmaqblob55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblobcmaqblob55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblobcmaqblob55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblobcmaqblob55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblobcmaqblob55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblobcmaqblob55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblobcmaqblob55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblobcmaqblob55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstoragecmaqcifsstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstoragecmaqcifsstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstoragecmaqcifsstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstoragecmaqcifsstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstoragecmaqcifsstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnetwrf_vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnetwrf_vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet/subnets/anfanf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet/subnets/azurebastionsubnetazurebastionsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet/subnets/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnetwrf_vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnetwrf_vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-new/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Network/virtualNetworkstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnetwrf_vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.network/virtualnetworks/wrf_vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstoragecmaqcifsstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfilescmaqfiles55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstoragecmaqcifsstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfssrscwrfblobnfs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsmsrscwrflustrehsm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsmsrscwrflustrehsm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsmsrscwrflustrehsm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsmsrscwrflustrehsm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsmsrscwrflustrehsm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsmsrscwrflustrehsm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstestsrcifstest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstoragecmaqcifsstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsmsrscwrflustrehsm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcyclesrscwrfcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcyclesrscwrfcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfssrscwrfblobnfs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsmsrscwrflustrehsm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsmsrscwrflustrehsm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.KeyVault/vaultstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.keyvault/vaults/steve-bastion-keyssteve-bastion-keys55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a81.0.2secretsexpirationset98728c90-32c7-4049-8429-847dc0f4fe37/providers/microsoft.authorization/policydefinitions/98728c90-32c7-4049-8429-847dc0f4fe37tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.Key VaultKey Vault secrets should have an expiration date
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsmsrscwrflustrehsm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrflustrehsmsrscwrflustrehsm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82lockersrcycle82locker55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblobcmaqblob55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82lockersrcycle82locker55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82lockersrcycle82locker55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82lockersrcycle82locker55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82lockersrcycle82locker55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82lockersrcycle82locker55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82lockersrcycle82locker55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82lockersrcycle82locker55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82lockersrcycle82locker55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82lockersrcycle82locker55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstoragecmaqcifsstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenewsrcyclenew55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenewsrcyclenew55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenewsrcyclenew55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenewsrcyclenew55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstestsrcifstest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenewsrcyclenew55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstestsrcifstest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstestsrcifstest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfilescmaqfiles55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstoragecmaqcifsstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfilescmaqfiles55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqcifsstoragecmaqcifsstorage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfilescmaqfiles55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfilescmaqfiles55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfilescmaqfiles55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfilescmaqfiles55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfilescmaqfiles55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfilescmaqfiles55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstestsrcifstest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstestsrcifstest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstestsrcifstest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstestsrcifstest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstestsrcifstest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstestsrcifstest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenewsrcyclenew55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenewsrcyclenew55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenewsrcyclenew55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcyclesrscwrfcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfssrscwrfblobnfs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcyclesrscwrfcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfssrscwrfblobnfs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcyclesrscwrfcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfssrscwrfblobnfs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcyclesrscwrfcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcyclesrscwrfcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcyclesrscwrfcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcyclesrscwrfcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcyclesrscwrfcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfcyclesrscwrfcycle55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenewsrcyclenew55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcycle82lockersrcycle82locker55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenewsrcyclenew55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfssrscwrfblobnfs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfssrscwrfblobnfs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfssrscwrfblobnfs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfssrscwrfblobnfs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclenewsrcyclenew55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfilescmaqfiles55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqfilescmaqfiles55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/cmaqblobcmaqblob55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcifstestsrcifstest55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfssrscwrfblobnfs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srscwrfblobnfssrscwrfblobnfs55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.storage/storageaccounts/srcyclewsetus2srcyclewsetus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-82sr-cycle-8255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleserver/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest2221.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest2221.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest2221.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployer/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/azhop-deployerazhop-deployer55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumj/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/sr-cycle-newsr-cycle-new1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_wrfMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/galleryimagetest222galleryimagetest22255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/server-mi4dcobymfrgillegrsgeljumjserver-mi4dcobymfrgillegrsgeljumj55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/cycleservercycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhf/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve_WRFMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve_wrf/providers/microsoft.compute/virtualmachines/scheduler-mjsdcmtcgm3teljqmnrdcljuhfscheduler-mjsdcmtcgm3teljqmnrdcljuhf55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn1041.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn1071.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn1071.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn1071.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn0011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn0011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn1041.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn1041.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn0011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn001testcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2hpcf4hy3f5xkbud255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2hpcf4hy3f5xkbud255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2hpcf4hy3f5xkbud255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2hpcf4hy3f5xkbud255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2hpcf4hy3f5xkbud255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2hpcf4hy3f5xkbud255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2hpcf4hy3f5xkbud255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2hpcf4hy3f5xkbud255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2hpcf4hy3f5xkbud255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/honeywellvnethoneywellvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn1051.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqyhpc6tj6f36ptfnqy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/honeywellvnet/subnets/subnet-1subnet-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72hpckmdt332nbah7255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2hpcn34qa3hcrydl255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2hpcn34qa3hcrydl255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2hpcn34qa3hcrydl255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2hpcn34qa3hcrydl255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2hpcn34qa3hcrydl255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2hpcn34qa3hcrydl255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2hpcn34qa3hcrydl255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2hpcn34qa3hcrydl255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2hpcn34qa3hcrydl255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2hpcf4hy3f5xkbud255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcf4hy3f5xkbud2hpcf4hy3f5xkbud255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72hpckmdt332nbah7255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72hpckmdt332nbah7255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72hpckmdt332nbah7255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72hpckmdt332nbah7255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72hpckmdt332nbah7255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72hpckmdt332nbah7255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72hpckmdt332nbah7255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72hpckmdt332nbah7255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqyhpc6tj6f36ptfnqy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvaultgmhpckeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqyhpc6tj6f36ptfnqy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqyhpc6tj6f36ptfnqy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/honeywellvnethoneywellvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqyhpc6tj6f36ptfnqy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqyhpc6tj6f36ptfnqy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqyhpc6tj6f36ptfnqy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqyhpc6tj6f36ptfnqy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqyhpc6tj6f36ptfnqy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqyhpc6tj6f36ptfnqy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvaultgmhpckeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvaultgmhpckeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvaultgmhpckeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvaultgmhpckeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvaultgmhpckeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvaultgmhpckeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvaultgmhpckeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvaultgmhpckeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.keyvault/vaults/gmhpckeyvaultgmhpckeyvault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwinstevegmwin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn1051.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn1051.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn104testcn10455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107testcn10755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn107/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58stevegmwin9c5855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58stevegmwin9c5855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58stevegmwin9c5855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58stevegmwin9c5855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58stevegmwin9c5855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58stevegmwin9c5855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58stevegmwin9c5855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58stevegmwin9c5855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58stevegmwin9c5855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2hpcn34qa3hcrydl255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/honeywellvnethoneywellvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/sandboxvnetsandboxvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwinstevegmwin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwinstevegmwin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwinstevegmwin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwinstevegmwin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwinstevegmwin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwinstevegmwin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwinstevegmwin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpc6tj6f36ptfnqyhpc6tj6f36ptfnqy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwinstevegmwin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72hpckmdt332nbah7255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpcn34qa3hcrydl2hpcn34qa3hcrydl255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/honeywellvnethoneywellvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/sandboxvnetsandboxvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/sandboxvnetsandboxvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/honeywellvnethoneywellvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn105cn10555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/sandboxvnetsandboxvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/hpckmdt332nbah72hpckmdt332nbah7255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwinstevegmwin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwinstevegmwin55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58stevegmwin9c5855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.storage/storageaccounts/stevegmwin9c58stevegmwin9c5855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/sandboxvnet/subnets/subnet-1subnet-155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Network/virtualNetworkstbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.network/virtualnetworks/sandboxvnetsandboxvnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn1021.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn1021.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn1011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn1011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn1031.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn1021.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn1031.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn1031.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn1011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addc/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn1001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/addcaddc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn10055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn1001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn100cn1001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnode/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/adheadnodeadheadnode55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn0011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn0011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn0001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn0001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn0001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn0011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn0001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/testcn000testcn0001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn001linuxcn00155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn0001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622SteveGMWinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/linuxcn000linuxcn00055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachines/extensionstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywell/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn102cn10255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn101cn10155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622stevegmwinMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/cn103cn10355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622STEVEGMWINMicrosoft.Compute/virtualMachinestbdeastusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/stevegmwin/providers/microsoft.compute/virtualmachines/honeywellhoneywell55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbh/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachineScaleSetstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachinescalesets/lustre-vmsslustre-vmss55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachinestbdsouthcentralusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustrelustre55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622steve-lustreMicrosoft.Compute/virtualMachines/extensionstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622STEVE-LUSTREMicrosoft.Compute/virtualMachinestbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/steve-lustre/providers/microsoft.compute/virtualmachines/lustre-rbhlustre-rbh55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622test061121Microsoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/test061121/providers/microsoft.network/virtualnetworks/test061121-vnettest061121-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622test061121Microsoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/test061121/providers/microsoft.network/virtualnetworks/test061121-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622test061121Microsoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/test061121/providers/microsoft.network/virtualnetworks/test061121-vnettest061121-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622test061121Microsoft.Network/virtualNetworkstbdeastusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/test061121/providers/microsoft.network/virtualnetworks/test061121-vnettest061121-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-041.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-041.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-041.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-031.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-031.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-031.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Network/virtualNetworkstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc623b7169bfcb010068170821-vcstesting-main-vpc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Network/virtualNetworkstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc623b7169bfcb010068170821-vcstesting-main-vpc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc623b7169bfcb010068170821-vcstesting-main-vpc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc623b7169bfcb010068170821-vcstesting-main-vpc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-master-00623b7169bfcb010068170821-vcstesting-master-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc/subnets/623b7169bfcb010068170821-vcstesting-private623b7169bfcb010068170821-vcstesting-private55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc/subnets/623b7169bfcb010068170821-vcstesting-public623b7169bfcb010068170821-vcstesting-public55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstestingbbfcbvcstesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstestingbbfcbvcstesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstestingbbfcbvcstesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstestingbbfcbvcstesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstestingbbfcbvcstesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstestingbbfcbvcstesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstestingbbfcbvcstesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstestingbbfcbvcstesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Network/virtualNetworkstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.network/virtualnetworks/623b7169bfcb010068170821-vcstesting-main-vpc623b7169bfcb010068170821-vcstesting-main-vpc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstestingbbfcbvcstesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstestingbbfcbvcstesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.storage/storageaccounts/bbfcbvcstestingbbfcbvcstesting55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-03623b7169bfcb010068170821-vcstesting-worker-0355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/ts-license01ts-license0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-04623b7169bfcb010068170821-vcstesting-worker-0455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-021.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-021.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-splfs-00623b7169bfcb010068170821-vcstesting-splfs-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-021.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-02623b7169bfcb010068170821-vcstesting-worker-0255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-011.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-tran-00623b7169bfcb010068170821-vcstesting-tran-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachines/extensionstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-001.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-01623b7169bfcb010068170821-vcstesting-worker-0155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ts-623b7169bfcb010068170821-vcstesting-rgMicrosoft.Compute/virtualMachinestbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ts-623b7169bfcb010068170821-vcstesting-rg/providers/microsoft.compute/virtualmachines/623b7169bfcb010068170821-vcstesting-worker-00623b7169bfcb010068170821-vcstesting-worker-0055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditlinuxeffect04c4380f-3fae-46e8-96c9-30193528f602/providers/microsoft.authorization/policydefinitions/04c4380f-3fae-46e8-96c9-30193528f602azure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Linux virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumi/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2azypuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2voltusccstorusw255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2azypuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/ycadence-vnetycadence-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2cad-vnet255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/ycadence-vnetycadence-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2cad-vnet255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networkwatchershouldbeenabledmonitoringeffectb6e2945c-0b7b-40f5-9233-7a5323b5cdc6/providers/microsoft.authorization/policydefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6azure_security_benchmark_v3.0_ir-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.NetworkNetwork Watcher should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/ycadence-vnet/subnets/defaultdefault55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworks/subnetstbdFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2/subnets/sn-storagesn-storage55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2/subnets/sn-computesn-compute55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2/subnets/gatewaysubnetgatewaysubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworks/subnetstbdTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2/subnets/azurebastionsubnetazurebastionsubnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonsubnetsmonitoringe71308d3-144b-4262-b144-efdc3cc90517/providers/microsoft.authorization/policydefinitions/e71308d3-144b-4262-b144-efdc3cc90517azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.Security CenterSubnets should be associated with a Network Security Group
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2cad-vnet255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworkstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2cad-vnet255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0-previewazurefirewalleffectfc5e4038-4584-4632-8c85-c0448d374b2c/providers/microsoft.authorization/policydefinitions/fc5e4038-4584-4632-8c85-c0448d374b2cazure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewallNetwork[Preview]: All Internet traffic should be routed via your deployed Azure Firewall
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworkstbdsouthcentralusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/ycadence-vnetycadence-vnet55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Network/virtualNetworkstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.network/virtualnetworks/cad-vnet2cad-vnet255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vnetenableddosprotectionmonitoringa7aca53f-2ed4-4466-a25e-0b45ade68efd/providers/microsoft.authorization/policydefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efdazure_security_benchmark_v3.0_ns-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.Security CenterAzure DDoS Protection Standard should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarlscheduler-7jwnbad4gbarl55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfllondemand-tjry4hngbvfll55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfllondemand-tjry4hngbvfll55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarlscheduler-7jwnbad4gbarl55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.1.0diagnosticslogsinservicefabricmonitoringeffect7c1b1214-f927-48bf-8882-84f0af6588b1/providers/microsoft.authorization/policydefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1azure_security_benchmark_v3.0_lt-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.ComputeResource logs in Virtual Machine Scale Sets should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarlscheduler-7jwnbad4gbarl55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarlscheduler-7jwnbad4gbarl55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarlscheduler-7jwnbad4gbarl55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2voltusccstorusw255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2azypuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2voltusccstorusw255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2azypuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2azypuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2ycadencevoltuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2ycadencevoltuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2voltusccstorusw255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2azypuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2voltusccstorusw255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2ycadencevoltuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2ycadencevoltuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2ycadencevoltuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2ycadencevoltuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2ycadencevoltuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarlscheduler-7jwnbad4gbarl55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2ycadencevoltuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2ycadencevoltuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2ycadencevoltuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2azypuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2voltusccstorusw255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2voltusccstorusw255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2azypuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2voltusccstorusw255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2azypuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2azypuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2voltusccstorusw255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/azypuswest2azypuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.1disableunrestrictednetworktostorageaccountmonitoring34c877ad-507e-4c82-993e-3452a6e0ad3c/providers/microsoft.authorization/policydefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3cazure_security_benchmark_v3.0_ns-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address rangesStorageStorage accounts should restrict network access
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2voltusccstorusw255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/ycadencevoltuswest2ycadencevoltuswest255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarlscheduler-7jwnbad4gbarl55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarlscheduler-7jwnbad4gbarl55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarlscheduler-7jwnbad4gbarl55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarlscheduler-7jwnbad4gbarl55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarlscheduler-7jwnbad4gbarl55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/scheduler-7jwnbad4gbarlscheduler-7jwnbad4gbarl55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfllondemand-tjry4hngbvfll55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfllondemand-tjry4hngbvfll55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfllondemand-tjry4hngbvfll55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfllondemand-tjry4hngbvfll55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfllondemand-tjry4hngbvfll55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfllondemand-tjry4hngbvfll55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfllondemand-tjry4hngbvfll55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssendpointprotectionmonitoring26a828e1-e88f-464e-bbb3-c134a282b9de/providers/microsoft.authorization/policydefinitions/26a828e1-e88f-464e-bbb3-c134a282b9deazure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.Security CenterEndpoint protection solution should be installed on virtual machine scale sets
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfllondemand-tjry4hngbvfll55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmssosvulnerabilitiesmonitoring3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4/providers/microsoft.authorization/policydefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.Security CenterVulnerabilities in security configuration on your virtual machine scale sets should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfllondemand-tjry4hngbvfll55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmssmonitoringa3a6ea0c-e018-4933-9ef0-5aaa1501449b/providers/microsoft.authorization/policydefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449bazure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Security CenterLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachineScaleSetstbdwestus2TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachinescalesets/ondemand-tjry4hngbvfllondemand-tjry4hngbvfll55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0vmsssystemupdatesmonitoringc3f317a7-a95c-4547-b7e7-11017ebdf2fe/providers/microsoft.authorization/policydefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2feazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.Security CenterSystem updates on virtual machine scale sets should be installed
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/ycad-compute-imgycad-compute-img55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.storage/storageaccounts/voltusccstorusw2voltusccstorusw255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserver/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimagecc/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0windowswebserversshouldbeconfiguredtousesecurecommunicationprotocolsmonitoringeffect5752e6d6-1206-46d8-8ab1-ecc2f71a8112/providers/microsoft.authorization/policydefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112azure_security_benchmark_v3.0_dp-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.Guest ConfigurationWindows web servers should be configured to use secure communication protocols
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsdefenderexploitguardmonitoringbed48b13-6647-468e-aa2f-1af1d3f4dd40/providers/microsoft.authorization/policydefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).Guest ConfigurationWindows Defender Exploit Guard should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugr/extensions/azurepolicyforlinuxazurepolicyforlinux55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/instance-gi4dgnzumntgcljqhe4dkljumiinstance-gi4dgnzumntgcljqhe4dkljumi1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0windowsguestconfigbaselinesmonitoring72650e9f-97bc-4b2a-ab5f-9781a9fcecbc/providers/microsoft.authorization/policydefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbcazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationWindows machines should meet requirements of the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration3.0.0prerequisite_deployextensionlinux331e8ea8-378a-410f-a2e5-ae22f38bb0da/providers/microsoft.authorization/policydefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0datbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselinePossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0-previewsystemupdatesv2monitoringf85bf3e0-d513-442e-89c3-1784ad63382b/providers/microsoft.authorization/policydefinitions/f85bf3e0-d513-442e-89c3-1784ad63382bazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineYour machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.Security Center[Preview]: System updates should be installed on your machines (powered by Update Center)
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration1.2.0prerequisite_deployextensionwindows385f5831-96d4-41db-9a3c-cd3af78aaae6/providers/microsoft.authorization/policydefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6tbddeployifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationDeploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-cycleserverazyc-cycleserver55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0jitnetworkaccessmonitoringb0f33259-77d7-4c9e-aac6-3aabcfae693c/providers/microsoft.authorization/policydefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693cSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendationsSecurity CenterManagement ports of virtual machines should be protected with just-in-time network access control
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsmonitoring47a6b606-51aa-4496-8bb7-64b11cf66adc/providers/microsoft.authorization/policydefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adcazure_security_benchmark_v3.0_am-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.Security CenterAdaptive application controls for defining safe applications should be enabled on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptiveapplicationcontrolsupdatemonitoring123a3936-f020-408a-ba0c-47873faf1534/providers/microsoft.authorization/policydefinitions/123a3936-f020-408a-ba0c-47873faf1534azure_security_benchmark_v3.0_am-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies.Security CenterAllowlist rules in your adaptive application control policy should be updated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsonvirtualmachinesmonitoringf6de0be7-9a8a-4b8a-b349-43cf02d22f7c/providers/microsoft.authorization/policydefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7cazure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterInternet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0systemconfigurationsmonitoringe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15/providers/microsoft.authorization/policydefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendationsSecurity CenterVulnerabilities in security configuration on your machines should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachines/extensionstbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjump/extensions/azurepolicyforwindowsazurepolicyforwindows55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1gcextonvmwithnosamimonitoringd26f7642-7545-4e18-9b75-8c9bbdee3a9a/providers/microsoft.authorization/policydefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9aSystem.Object[]tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpolSecurity CenterVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2gcextonvmmonitoringae89ebca-1c92-4898-ac2c-9f63decb045c/providers/microsoft.authorization/policydefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045cazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.Security CenterGuest Configuration extension should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0azurebackupshouldbeenabledforvirtualmachinesmonitoringeffect013e242c-8828-4970-87b3-ab247555486d/providers/microsoft.authorization/policydefinitions/013e242c-8828-4970-87b3-ab247555486dSystem.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.BackupAzure Backup should be enabled for Virtual Machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0networksecuritygroupsoninternalvirtualmachinesmonitoringbb91dfba-c30d-4263-9add-9c2384e659a6/providers/microsoft.authorization/policydefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-docSecurity CenterNon-internet-facing virtual machines should be protected with network security groups
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueExempt/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0systemupdatesmonitoring86b3d65f-7626-441e-b690-81a8b71cff60/providers/microsoft.authorization/policydefinitions/86b3d65f-7626-441e-b690-81a8b71cff60azure_security_benchmark_v3.0_pv-6tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMissing security system updates on your servers will be monitored by Azure Security Center as recommendationsSecurity CenterSystem updates should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center4.0.0-previewpreviewsecurebootshouldbeenabledonsupportedwindowsvirtualmachinesmonitoringeffect97566dd7-78ae-4997-8b36-1c7bfe0d8121/providers/microsoft.authorization/policydefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.Security Center[Preview]: Secure Boot should be enabled on supported Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewvtpmshouldbeenabledonsupportedvirtualmachinesmonitoringeffect1c30f9cd-b84c-49cc-aa2c-9288447cc3b3/providers/microsoft.authorization/policydefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3azure_security_benchmark_v3.0_pv-4tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.Security Center[Preview]: vTPM should be enabled on supported virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classiccomputevmsmonitoring1d84d5fb-01f6-4d12-ba4f-4a26081d403d/providers/microsoft.authorization/policydefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403dazure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementComputeVirtual machines should be migrated to new Azure Resource Manager resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhenuser497dff13-db2a-4c0f-8603-28fa3b331ab6/providers/microsoft.authorization/policydefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6tbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr1.0.012794019-7a00-42cf-95c2-882eed337cc8/providers/Microsoft.Authorization/policySetDefinitions/12794019-7a00-42cf-95c2-882eed337cc8guest configuration4.0.0prerequisite_addsystemidentitywhennone3cf2ab00-13f1-4d0c-8971-2ac904541a7e/providers/microsoft.authorization/policydefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7etbdmodify/providers/Microsoft.Management/managementGroups/MCAPSCoreNonProdtbdf34f1577286a4f77b5dd107c/providers/microsoft.management/managementgroups/mcapscorenonprod/providers/microsoft.authorization/policyassignments/f34f1577286a4f77b5dd107cThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.Guest ConfigurationAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0endpointprotectionhealthissuesmonitoringeffect8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2/providers/microsoft.authorization/policydefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineResolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.Security CenterEndpoint protection health issues should be resolved on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0-previewsystemupdatesautoassessmentmodebd876905-5b84-4f73-ab2d-2e7a7c4568d9/providers/microsoft.authorization/policydefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9azure_security_benchmark_v3.0_pv-6tbdaudit/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.Update Management Center[Preview]: Machines should be configured to periodically check for missing system updates
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0authenticationtolinuxmachinesshouldrequiresshkeysmonitoringeffect630c64f9-8b6b-4c64-b511-6544ceff6fd6/providers/microsoft.authorization/policydefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6azure_security_benchmark_v3.0_im-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.Guest ConfigurationAuthentication to Linux machines should require SSH keys
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0endpointprotectionmonitoringaf6cd1bd-1635-48cb-bde7-5b15693900b9/providers/microsoft.authorization/policydefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendationsSecurity CenterMonitor missing Endpoint Protection in Azure Security Center
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.3diskencryptionmonitoring0961003e-5a0a-4549-abde-af6a37f2724d/providers/microsoft.authorization/policydefinitions/0961003e-5a0a-4549-abde-af6a37f2724dazure_security_benchmark_v3.0_dp-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineBy default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparisonSecurity CenterVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installendpointprotection1f7c564c-0a90-4d44-b7e1-9d456cffaee8/providers/microsoft.authorization/policydefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8azure_security_benchmark_v3.0_es-2tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineTo protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.Security CenterEndpoint protection should be installed on your machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0nextgenerationfirewallmonitoring9daedab3-fb2d-461e-b861-71790eead4f6/providers/microsoft.authorization/policydefinitions/9daedab3-fb2d-461e-b861-71790eead4f6azure_security_benchmark_v3.0_ns-1tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.Security CenterAll network ports should be restricted on network security groups associated to your virtual machine
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0serversqldbvulnerabilityassesmentmonitoring6ba6d016-e7c3-4842-b8f2-4992ebc0d72d/providers/microsoft.authorization/policydefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72dazure_security_benchmark_v3.0_pv-6tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.Security CenterSQL servers on machines should have vulnerability findings resolved
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0adaptivenetworkhardeningsmonitoring08e6af2d-db70-460a-bfe9-d5bd474ba9d6/providers/microsoft.authorization/policydefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surfaceSecurity CenterAdaptive network hardening recommendations should be applied on internet facing virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0restrictaccesstomanagementportsmonitoring22730e10-96f6-4aac-ad84-9383d35b5917/providers/microsoft.authorization/policydefinitions/22730e10-96f6-4aac-ad84-9383d35b5917azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.Security CenterManagement ports should be closed on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0servervulnerabilityassessment501541f7-f7e7-4cd6-868c-4190fdad3ac9/providers/microsoft.authorization/policydefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9azure_security_benchmark_v3.0_pv-5tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.Security CenterA vulnerability assessment solution should be enabled on your virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0disableipforwardingmonitoringbd352bd5-2853-4985-bf0d-73806b4a5744/providers/microsoft.authorization/policydefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744azure_security_benchmark_v3.0_ns-3tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.Security CenterIP Forwarding on your virtual machine should be disabled
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0containerbenchmarkmonitoringe8cbc669-f12d-49eb-93e7-9273119e9933/providers/microsoft.authorization/policydefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933System.Object[]tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.Security CenterVulnerabilities in container security configurations should be remediated
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-newimageccazyc-newimagecc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0linuxguestconfigbaselinesmonitoringfc9b3da7-8347-4380-8e70-0a0361d8dedd/providers/microsoft.authorization/policydefinitions/fc9b3da7-8347-4380-8e70-0a0361d8deddazure_security_benchmark_v3.0_pv-4tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.Guest ConfigurationLinux machines should meet requirements for the Azure compute security baseline
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2FalseNonCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/azyc-windowsjumpazyc-windowsjump55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2-previewascdependencyagentauditwindowseffect2f2ee1de-44aa-4762-b6bd-0893fc3f306d/providers/microsoft.authorization/policydefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306dazure_security_benchmark_v3.0_lt-4tbdauditifnotexists/providers/Microsoft.Management/managementGroups/MCAPSCoretbdAzure_Security_Baseline/providers/microsoft.management/managementgroups/mcapscore/providers/microsoft.authorization/policyassignments/azure_security_baselineSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.Monitoring[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
1d81cec7-7ded-4731-884e-90c5aa59c622ycadenceMicrosoft.Compute/virtualMachinestbdwestus2TrueCompliant/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/resourcegroups/ycadence/providers/microsoft.compute/virtualmachines/fileserver-gu4geojsgeygcljzga4tsljugrfileserver-gu4geojsgeygcljzga4tsljugr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0installloganalyticsagentonvmmonitoringa4fe33eb-e377-4efb-ab31-0784311bc499/providers/microsoft.authorization/policydefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622tbdSecurityCenterBuiltIn/subscriptions/1d81cec7-7ded-4731-884e-90c5aa59c622/providers/microsoft.authorization/policyassignments/securitycenterbuiltinThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threatsSecurity CenterLog Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremovedeprecatedaccountmonitoringnew8d7e1fde-fe26-4b5f-8108-f8e432cbc2be/providers/microsoft.authorization/policydefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2beazure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.Security CenterBlocked accounts with read and write permissions on Azure resources should be removed
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforwritepermissionsmonitoringeffect931e118d-50a1-4457-a5e4-78550e086c52/providers/microsoft.authorization/policydefinitions/931e118d-50a1-4457-a5e4-78550e086c52azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.Security CenterAccounts with write permissions on Azure resources should be MFA enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1identityenablemfaforwritepermissionsmonitoring9297c21d-2ed6-4474-b48f-163f75654ce3/providers/microsoft.authorization/policydefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.Security CenterMFA should be enabled for accounts with write permissions on your subscription
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremovedeprecatedaccountmonitoring6b1cbf55-e8b6-442f-ba4c-7246b6381474/providers/microsoft.authorization/policydefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.Security CenterDeprecated accounts should be removed from your subscription
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/21d96096-b162-414a-8302-d8354f9d91b221d96096-b162-414a-8302-d8354f9d91b255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/260691e6-68c2-47cf-bd4a-97d5fd4dbcd5260691e6-68c2-47cf-bd4a-97d5fd4dbcd555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/7aff565e-6c55-448d-83db-ccf482c6da2f7aff565e-6c55-448d-83db-ccf482c6da2f55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/7fd64851-3279-459b-b614-e2b2ba760f5b7fd64851-3279-459b-b614-e2b2ba760f5b55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/7b266cd7-0bba-4ae2-8423-90ede5e1e8987b266cd7-0bba-4ae2-8423-90ede5e1e89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityenablemfaforreadpermissionsmonitoringe3576e28-8b17-4677-84c3-db2990658d64/providers/microsoft.authorization/policydefinitions/e3576e28-8b17-4677-84c3-db2990658d64azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.Security CenterMFA should be enabled on accounts with read permissions on your subscription
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremovedeprecatedaccountwithownerpermissionsmonitoringebb62a0c-3560-49e1-89ed-27e074e9f8ad/providers/microsoft.authorization/policydefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8adSystem.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.Security CenterDeprecated accounts with owner permissions should be removed from your subscription
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/a48d7896-14b4-4889-afef-fbb65a96e5a2a48d7896-14b4-4889-afef-fbb65a96e5a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremovedeprecatedaccountwithownerpermissionsmonitoringnew0cfea604-3201-4e14-88fc-fae4c427a6c5/providers/microsoft.authorization/policydefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5System.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.Security CenterBlocked accounts with owner permissions on Azure resources should be removed
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identitydesignatelessthanownersmonitoring4f11b553-d42e-4e3a-89be-32ca364cad4c/providers/microsoft.authorization/policydefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4cazure_security_benchmark_v3.0_pa-1tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.Security CenterA maximum of 3 owners should be designated for your subscription
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identitydesignatemorethanoneownermonitoring09024ccc-0c5f-475e-9457-b7c0d9ed487b/providers/microsoft.authorization/policydefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487bazure_security_benchmark_v3.0_pa-1tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to designate more than one subscription owner in order to have administrator access redundancy.Security CenterThere should be more than one owner assigned to your subscription
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityenablemfaforownerpermissionsmonitoringaa633080-8b72-40c4-a2d7-d00c03e80bed/providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bedazure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.Security CenterMFA should be enabled on accounts with owner permissions on your subscription
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforownerpermissionsmonitoringnewe3e008c3-56b9-4133-8fd7-d3347377402a/providers/microsoft.authorization/policydefinitions/e3e008c3-56b9-4133-8fd7-d3347377402aazure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.Security CenterAccounts with owner permissions on Azure resources should be MFA enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/fd1bb084-1503-4bd2-99c0-630220046786fd1bb084-1503-4bd2-99c0-63022004678655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/e078ab98-ef3a-4c9a-aba7-12f5172b45d0e078ab98-ef3a-4c9a-aba7-12f5172b45d055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/b91f4c0b-46e3-47bb-a242-eecfe23b3b5bb91f4c0b-46e3-47bb-a242-eecfe23b3b5b55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/94ddc4bc-25f5-4f3e-b527-c587da93cfe494ddc4bc-25f5-4f3e-b527-c587da93cfe455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/a7b1b19a-0e83-4fe5-935c-faaefbfd18c3a7b1b19a-0e83-4fe5-935c-faaefbfd18c355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/87d31636-ad85-4caa-802d-1535972b561287d31636-ad85-4caa-802d-1535972b561255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithownerpermissionsmonitoringnew339353f6-2387-4a45-abe4-7f529d121046/providers/microsoft.authorization/policydefinitions/339353f6-2387-4a45-abe4-7f529d121046System.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with owner permissions on Azure resources should be removed
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithownerpermissionsmonitoringf8456c1c-aa66-4dfb-861a-25d127b775c9/providers/microsoft.authorization/policydefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9System.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with owner permissions should be removed from your subscription
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforreadpermissionsmonitoringnew81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4/providers/microsoft.authorization/policydefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.Security CenterAccounts with read permissions on Azure resources should be MFA enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0containersadvancedthreatprotectionmonitoringeffect1c988dd6-ade4-430f-a608-2a3e5b0a6d38/providers/microsoft.authorization/policydefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38System.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMicrosoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.Security CenterMicrosoft Defender for Containers should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2a48d7796-14b4-4889-afef-fbb65a93e5a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithreadpermissionsmonitoringnewe9ac8f8e-ce22-4355-8f04-99b911d6be52/providers/microsoft.authorization/policydefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with read permissions on Azure resources should be removed
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3storageaccountsadvanceddatasecuritymonitoringeffect308fbb08-4ab8-4e67-9b29-592e93fb94fa/providers/microsoft.authorization/policydefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94faSystem.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.Security CenterAzure Defender for Storage should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithwritepermissionsmonitoringnew94e1c2ac-cbbe-4cac-a2b5-389c812dee87/providers/microsoft.authorization/policydefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with write permissions on Azure resources should be removed
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3appservicesadvancedthreatprotectionmonitoringeffect2913021d-f2fd-4f3d-b958-22354e2bdbcb/providers/microsoft.authorization/policydefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcbSystem.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.Security CenterAzure Defender for App Service should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1autoprovisioningoftheloganalyticsagentshouldbeenabledonyoursubscriptionmonitoringeffect475aae12-b88a-4572-8b36-9b712b2b3a17/providers/microsoft.authorization/policydefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.Security CenterAuto provisioning of the Log Analytics agent should be enabled on your subscription
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2sqlserversvirtualmachinesadvanceddatasecuritymonitoringeffect6581d072-105e-4418-827f-bd446d56421b/providers/microsoft.authorization/policydefinitions/6581d072-105e-4418-827f-bd446d56421bSystem.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.Security CenterAzure Defender for SQL servers on machines should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3keyvaultsadvanceddatasecuritymonitoringeffect0e6763cc-5078-4e64-889d-ff4d9a839047/providers/microsoft.authorization/policydefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047System.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.Security CenterAzure Defender for Key Vault should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3virtualmachinesadvancedthreatprotectionmonitoringeffect4da35fc9-c9e7-4960-aec9-797fe7d9051d/providers/microsoft.authorization/policydefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051dSystem.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.Security CenterAzure Defender for servers should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderfordnsshouldbeenabledmonitoringeffectbdc59948-5574-49b3-bb91-76b7c986428d/providers/microsoft.authorization/policydefinitions/bdc59948-5574-49b3-bb91-76b7c986428dSystem.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .Security CenterAzure Defender for DNS should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2sqlserversadvanceddatasecuritymonitoringeffect7fe3b40f-802b-4cdd-8bd4-fd799c948cc2/providers/microsoft.authorization/policydefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2System.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.Security CenterAzure Defender for Azure SQL Database servers should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderforresourcemanagershouldbeenabledmonitoringeffectc3d20c29-b36d-48fe-808b-99a87530ad99/providers/microsoft.authorization/policydefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99System.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .Security CenterAzure Defender for Resource Manager should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1emailnotificationforhighseverityalertsshouldbeenabledmonitoringeffect6e2593d9-add6-4083-9c9b-4b7d2188c899/providers/microsoft.authorization/policydefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899azure_security_benchmark_v3.0_ir-2tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.Security CenterEmail notification for high severity alerts should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0microsoftdefendercspmshouldbeenabledmonitoringeffect1f90fc71-a595-4066-8974-d4d0802e8ef0/providers/microsoft.authorization/policydefinitions/1f90fc71-a595-4066-8974-d4d0802e8ef0System.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDefender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud.Security CenterMicrosoft Defender CSPM should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithwritepermissionsmonitoring5c607a2e-c700-4744-8254-d77e7c9eb5e4/providers/microsoft.authorization/policydefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with write permissions should be removed from your subscription
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1subscriptionsshouldhaveacontactemailaddressforsecurityissuesmonitoringeffect4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7/providers/microsoft.authorization/policydefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7azure_security_benchmark_v3.0_ir-2tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.Security CenterSubscriptions should have a contact email address for security issues
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0emailnotificationtosubscriptionownerforhighseverityalertsshouldbeenabledmonitoringeffect0b15565f-aa9e-48ba-8619-45960f2c314d/providers/microsoft.authorization/policydefinitions/0b15565f-aa9e-48ba-8619-45960f2c314dazure_security_benchmark_v3.0_ir-2tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.Security CenterEmail notification to subscription owner for high severity alerts should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/roledefinitions/a16c43ca-2d67-4dcd-9ded-6412f5edc51aa16c43ca-2d67-4dcd-9ded-6412f5edc51a55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderforopensourcerelationaldatabasesshouldbeenabledmonitoringeffect0a9fbe0d-c5c4-4da8-87d8-f4fd77338835/providers/microsoft.authorization/policydefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835System.Object[]tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-centerSecurity CenterAzure Defender for open-source relational databases should be enabled
8629be3b-96bc-482d-a04b-ffff597c65a2Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a28629be3b-96bc-482d-a04b-ffff597c65a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithreadpermissionsmonitoring5f76cf89-fbf2-47fd-a3f4-b891fa780b60/providers/microsoft.authorization/policydefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2tbdSecurityCenterBuiltIn/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with read permissions should be removed from your subscription
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/a7b1b19a-0e83-4fe5-935c-faaefbfd18c3a7b1b19a-0e83-4fe5-935c-faaefbfd18c355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforreadpermissionsmonitoringnew81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4/providers/microsoft.authorization/policydefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.Security CenterAccounts with read permissions on Azure resources should be MFA enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityenablemfaforownerpermissionsmonitoringaa633080-8b72-40c4-a2d7-d00c03e80bed/providers/microsoft.authorization/policydefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bedazure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.Security CenterMFA should be enabled on accounts with owner permissions on your subscription
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforownerpermissionsmonitoringnewe3e008c3-56b9-4133-8fd7-d3347377402a/providers/microsoft.authorization/policydefinitions/e3e008c3-56b9-4133-8fd7-d3347377402aazure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.Security CenterAccounts with owner permissions on Azure resources should be MFA enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.1identityenablemfaforwritepermissionsmonitoring9297c21d-2ed6-4474-b48f-163f75654ce3/providers/microsoft.authorization/policydefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.Security CenterMFA should be enabled for accounts with write permissions on your subscription
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityenablemfaforwritepermissionsmonitoringeffect931e118d-50a1-4457-a5e4-78550e086c52/providers/microsoft.authorization/policydefinitions/931e118d-50a1-4457-a5e4-78550e086c52azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.Security CenterAccounts with write permissions on Azure resources should be MFA enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/a48d7896-14b4-4889-afef-fbb65a96e5a2a48d7896-14b4-4889-afef-fbb65a96e5a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityenablemfaforreadpermissionsmonitoringe3576e28-8b17-4677-84c3-db2990658d64/providers/microsoft.authorization/policydefinitions/e3576e28-8b17-4677-84c3-db2990658d64azure_security_benchmark_v3.0_im-6tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.Security CenterMFA should be enabled on accounts with read permissions on your subscription
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/e078ab98-ef3a-4c9a-aba7-12f5172b45d0e078ab98-ef3a-4c9a-aba7-12f5172b45d055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/fd6e57ea-fe3c-4f21-bd1e-de170a9a4971fd6e57ea-fe3c-4f21-bd1e-de170a9a497155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithwritepermissionsmonitoring5c607a2e-c700-4744-8254-d77e7c9eb5e4/providers/microsoft.authorization/policydefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with write permissions should be removed from your subscription
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithownerpermissionsmonitoringnew339353f6-2387-4a45-abe4-7f529d121046/providers/microsoft.authorization/policydefinitions/339353f6-2387-4a45-abe4-7f529d121046System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with owner permissions on Azure resources should be removed
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithwritepermissionsmonitoringnew94e1c2ac-cbbe-4cac-a2b5-389c812dee87/providers/microsoft.authorization/policydefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with write permissions on Azure resources should be removed
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremovedeprecatedaccountwithownerpermissionsmonitoringebb62a0c-3560-49e1-89ed-27e074e9f8ad/providers/microsoft.authorization/policydefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8adSystem.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.Security CenterDeprecated accounts with owner permissions should be removed from your subscription
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithownerpermissionsmonitoringf8456c1c-aa66-4dfb-861a-25d127b775c9/providers/microsoft.authorization/policydefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with owner permissions should be removed from your subscription
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremovedeprecatedaccountwithownerpermissionsmonitoringnew0cfea604-3201-4e14-88fc-fae4c427a6c5/providers/microsoft.authorization/policydefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.Security CenterBlocked accounts with owner permissions on Azure resources should be removed
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremoveexternalaccountwithreadpermissionsmonitoring5f76cf89-fbf2-47fd-a3f4-b891fa780b60/providers/microsoft.authorization/policydefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterExternal accounts with read permissions should be removed from your subscription
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremoveexternalaccountwithreadpermissionsmonitoringnewe9ac8f8e-ce22-4355-8f04-99b911d6be52/providers/microsoft.authorization/policydefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Security CenterGuest accounts with read permissions on Azure resources should be removed
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3keyvaultsadvanceddatasecuritymonitoringeffect0e6763cc-5078-4e64-889d-ff4d9a839047/providers/microsoft.authorization/policydefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.Security CenterAzure Defender for Key Vault should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3storageaccountsadvanceddatasecuritymonitoringeffect308fbb08-4ab8-4e67-9b29-592e93fb94fa/providers/microsoft.authorization/policydefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94faSystem.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.Security CenterAzure Defender for Storage should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2sqlserversadvanceddatasecuritymonitoringeffect7fe3b40f-802b-4cdd-8bd4-fd799c948cc2/providers/microsoft.authorization/policydefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.Security CenterAzure Defender for Azure SQL Database servers should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.2sqlserversvirtualmachinesadvanceddatasecuritymonitoringeffect6581d072-105e-4418-827f-bd446d56421b/providers/microsoft.authorization/policydefinitions/6581d072-105e-4418-827f-bd446d56421bSystem.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.Security CenterAzure Defender for SQL servers on machines should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/b91f4c0b-46e3-47bb-a242-eecfe23b3b5bb91f4c0b-46e3-47bb-a242-eecfe23b3b5b55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3virtualmachinesadvancedthreatprotectionmonitoringeffect4da35fc9-c9e7-4960-aec9-797fe7d9051d/providers/microsoft.authorization/policydefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051dSystem.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.Security CenterAzure Defender for servers should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.3appservicesadvancedthreatprotectionmonitoringeffect2913021d-f2fd-4f3d-b958-22354e2bdbcb/providers/microsoft.authorization/policydefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcbSystem.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.Security CenterAzure Defender for App Service should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderforopensourcerelationaldatabasesshouldbeenabledmonitoringeffect0a9fbe0d-c5c4-4da8-87d8-f4fd77338835/providers/microsoft.authorization/policydefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-centerSecurity CenterAzure Defender for open-source relational databases should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1autoprovisioningoftheloganalyticsagentshouldbeenabledonyoursubscriptionmonitoringeffect475aae12-b88a-4572-8b36-9b712b2b3a17/providers/microsoft.authorization/policydefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17azure_security_benchmark_v3.0_lt-5tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.Security CenterAuto provisioning of the Log Analytics agent should be enabled on your subscription
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderforresourcemanagershouldbeenabledmonitoringeffectc3d20c29-b36d-48fe-808b-99a87530ad99/providers/microsoft.authorization/policydefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .Security CenterAzure Defender for Resource Manager should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0azuredefenderfordnsshouldbeenabledmonitoringeffectbdc59948-5574-49b3-bb91-76b7c986428d/providers/microsoft.authorization/policydefinitions/bdc59948-5574-49b3-bb91-76b7c986428dSystem.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .Security CenterAzure Defender for DNS should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0microsoftdefendercspmshouldbeenabledmonitoringeffect1f90fc71-a595-4066-8974-d4d0802e8ef0/providers/microsoft.authorization/policydefinitions/1f90fc71-a595-4066-8974-d4d0802e8ef0System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDefender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud.Security CenterMicrosoft Defender CSPM should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1emailnotificationforhighseverityalertsshouldbeenabledmonitoringeffect6e2593d9-add6-4083-9c9b-4b7d2188c899/providers/microsoft.authorization/policydefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899azure_security_benchmark_v3.0_ir-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.Security CenterEmail notification for high severity alerts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1subscriptionsshouldhaveacontactemailaddressforsecurityissuesmonitoringeffect4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7/providers/microsoft.authorization/policydefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7azure_security_benchmark_v3.0_ir-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.Security CenterSubscriptions should have a contact email address for security issues
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0emailnotificationtosubscriptionownerforhighseverityalertsshouldbeenabledmonitoringeffect0b15565f-aa9e-48ba-8619-45960f2c314d/providers/microsoft.authorization/policydefinitions/0b15565f-aa9e-48ba-8619-45960f2c314dazure_security_benchmark_v3.0_ir-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinTo ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.Security CenterEmail notification to subscription owner for high severity alerts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identityremovedeprecatedaccountmonitoring6b1cbf55-e8b6-442f-ba4c-7246b6381474/providers/microsoft.authorization/policydefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474azure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.Security CenterDeprecated accounts should be removed from your subscription
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/fd1bb084-1503-4bd2-99c0-630220046786fd1bb084-1503-4bd2-99c0-63022004678655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0containersadvancedthreatprotectionmonitoringeffect1c988dd6-ade4-430f-a608-2a3e5b0a6d38/providers/microsoft.authorization/policydefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMicrosoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.Security CenterMicrosoft Defender for Containers should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0identityremovedeprecatedaccountmonitoringnew8d7e1fde-fe26-4b5f-8108-f8e432cbc2be/providers/microsoft.authorization/policydefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2beazure_security_benchmark_v3.0_pa-4tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.Security CenterBlocked accounts with read and write permissions on Azure resources should be removed
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identitydesignatemorethanoneownermonitoring09024ccc-0c5f-475e-9457-b7c0d9ed487b/providers/microsoft.authorization/policydefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487bazure_security_benchmark_v3.0_pa-1tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to designate more than one subscription owner in order to have administrator access redundancy.Security CenterThere should be more than one owner assigned to your subscription
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2a48d7796-14b4-4889-afef-fbb65a93e5a255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/7b266cd7-0bba-4ae2-8423-90ede5e1e8987b266cd7-0bba-4ae2-8423-90ede5e1e89855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/7fd64851-3279-459b-b614-e2b2ba760f5b7fd64851-3279-459b-b614-e2b2ba760f5b55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/87d31636-ad85-4caa-802d-1535972b561287d31636-ad85-4caa-802d-1535972b561255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/94ddc4bc-25f5-4f3e-b527-c587da93cfe494ddc4bc-25f5-4f3e-b527-c587da93cfe455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Resources/subscriptionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054e0fd569c-e34a-4249-8c24-e8d723c7f05455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0identitydesignatelessthanownersmonitoring4f11b553-d42e-4e3a-89be-32ca364cad4c/providers/microsoft.authorization/policydefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4cazure_security_benchmark_v3.0_pa-1tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinIt is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.Security CenterA maximum of 3 owners should be designated for your subscription
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/21d96096-b162-414a-8302-d8354f9d91b221d96096-b162-414a-8302-d8354f9d91b255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/260691e6-68c2-47cf-bd4a-97d5fd4dbcd5260691e6-68c2-47cf-bd4a-97d5fd4dbcd555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/7aff565e-6c55-448d-83db-ccf482c6da2f7aff565e-6c55-448d-83db-ccf482c6da2f55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Microsoft.Authorization/roleDefinitionstbdFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/roledefinitions/a16c43ca-2d67-4dcd-9ded-6412f5edc51aa16c43ca-2d67-4dcd-9ded-6412f5edc51a55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0userbacrulesmonitoringa451c1ef-c6ca-483d-87ed-f49761e3ffb5/providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5azure_security_benchmark_v3.0_pa-7tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modelingGeneralAudit usage of custom RBAC rules
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fda55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fda55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a84df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd296086086491514027311992f05adeaae4147/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.MachineLearningServices/workspacestbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.machinelearningservices/workspaces/amlisdkv21657840272amlisdkv2165784027255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.MachineLearningServices/workspacestbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.machinelearningservices/workspaces/amlisdkv21657840272amlisdkv21657840272ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.017718906224026410856c62acd4d95271d71/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a84df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd295754393777034286197f6b63bfe5a86b464/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.MachineLearningServices/workspacestbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.machinelearningservices/workspaces/amlisdkv21657840272amlisdkv21657840272160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c165780325109665010637620c34b29d73144/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a847d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a117665953961397091050ad163c031e38be6b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6btbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fda55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a81.0.05353f06bfd8b6546/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdKey-Vault-Soft-Delete-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.MachineLearningServices/workspacestbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.machinelearningservices/workspaces/amlisdkv21657840272amlisdkv21657840272160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c23057737997671742969c7994a03e85cd7/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fda55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fda55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fda160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fda47d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fda47d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a8160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c236466222583652451b8df08c9a5e7240d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.ContainerRegistry/registriestbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e4828e35cf165ff74fad97f367b36208e48255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fda47d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fda47d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fda47d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a8160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c8747153269957097825196cc7343d351f3b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fda47d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.storage/storageaccounts/amlisdkvstorage6d4542fdaamlisdkvstorage6d4542fdaba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a8ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.07716402687079202705c7f4766e826cc01b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a82338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f13816903777777977516c8e4d0a348a1a362/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362tbdmodify/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.ContainerRegistry/registriestbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e4828e35cf165ff74fad97f367b36208e48255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.ContainerRegistry/registriestbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e4828e35cf165ff74fad97f367b36208e48255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.ContainerRegistry/registriestbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e4828e35cf165ff74fad97f367b36208e482ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.041750109159906600906b115614afdfb4f6/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.ContainerRegistry/registriestbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e4828e35cf165ff74fad97f367b36208e482160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c183298879773221411398ff43c0215fc2b5c/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5ctbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.ContainerRegistry/registriestbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e4828e35cf165ff74fad97f367b36208e482160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c14964690428565797584f8e7133d43e7ae8a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.KeyVault/vaultstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.keyvault/vaults/amlisdkvkeyvault98f355a8amlisdkvkeyvault98f355a82338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f46964228104916040047858cda978bcfbc2/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2tbdappend/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054amlisdkv2-rg-1657840272Microsoft.ContainerRegistry/registriestbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/amlisdkv2-rg-1657840272/providers/microsoft.containerregistry/registries/8e35cf165ff74fad97f367b36208e4828e35cf165ff74fad97f367b36208e482160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c2301613003442929976449e441566d8792d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom786135879047d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a117665953961397091050ad163c031e38be6b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6btbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom78613587901.0.05353f06bfd8b6546/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdKey-Vault-Soft-Delete-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c15f35c5e8a03497d995b1ea56cecf47c55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom9046791133ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom9046791133160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom904679113347d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom786135879055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom904679113355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom786135879055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom904679113347d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom904679113347d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom904679113347d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom786135879055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom786135879055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom904679113347d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom78613587902338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f13816903777777977516c8e4d0a348a1a362/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362tbdmodify/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom78613587902338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f46964228104916040047858cda978bcfbc2/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2tbdappend/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom786135879055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom904679113347d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c15f35c5e8a03497d995b1ea56cecf47c55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom904679113355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom78613587904df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd295754393777034286197f6b63bfe5a86b464/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom904679113355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom904679113355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom7861358790160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c8747153269957097825196cc7343d351f3b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom7861358790ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.07716402687079202705c7f4766e826cc01b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c15f35c5e8a03497d995b1ea56cecf47c160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c2301613003442929976449e441566d8792d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.MachineLearningServices/workspacestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.machinelearningservices/workspaces/cmontecillocommercecmontecillocommerce160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c165780325109665010637620c34b29d73144/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.MachineLearningServices/workspacestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.machinelearningservices/workspaces/cmontecillocommercecmontecillocommerce160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c23057737997671742969c7994a03e85cd7/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom78613587904df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd296086086491514027311992f05adeaae4147/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.keyvault/vaults/cmontecillocom7861358790cmontecillocom7861358790160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c236466222583652451b8df08c9a5e7240d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c15f35c5e8a03497d995b1ea56cecf47c160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c14964690428565797584f8e7133d43e7ae8a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.MachineLearningServices/workspacestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.machinelearningservices/workspaces/cmontecillocommercecmontecillocommerce55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c15f35c5e8a03497d995b1ea56cecf47c160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c183298879773221411398ff43c0215fc2b5c/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5ctbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c15f35c5e8a03497d995b1ea56cecf47cba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.041750109159906600906b115614afdfb4f6/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.containerregistry/registries/15f35c5e8a03497d995b1ea56cecf47c15f35c5e8a03497d995b1ea56cecf47c55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.storage/storageaccounts/cmontecillocom9046791133cmontecillocom904679113355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054cmontecillo-aip-commerceMicrosoft.MachineLearningServices/workspacestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/cmontecillo-aip-commerce/providers/microsoft.machinelearningservices/workspaces/cmontecillocommercecmontecillocommerceba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.017718906224026410856c62acd4d95271d71/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws929968731455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.MachineLearningServices/workspacestbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.machinelearningservices/workspaces/hawestra-wshawestra-ws55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.MachineLearningServices/workspacestbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.machinelearningservices/workspaces/hawestra-wshawestra-wsba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.017718906224026410856c62acd4d95271d71/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws07680959382338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f46964228104916040047858cda978bcfbc2/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2tbdappend/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws07680959382338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f13816903777777977516c8e4d0a348a1a362/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362tbdmodify/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.MachineLearningServices/workspacestbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.machinelearningservices/workspaces/hawestra-wshawestra-ws160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c23057737997671742969c7994a03e85cd7/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.MachineLearningServices/workspacestbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.machinelearningservices/workspaces/hawestra-wshawestra-ws160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c165780325109665010637620c34b29d73144/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws929968731455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws929968731455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws929968731447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws9299687314ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws0768095938160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c236466222583652451b8df08c9a5e7240d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws07680959384df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd296086086491514027311992f05adeaae4147/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws07680959384df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd295754393777034286197f6b63bfe5a86b464/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws0768095938ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.07716402687079202705c7f4766e826cc01b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws07680959381.0.05353f06bfd8b6546/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdKey-Vault-Soft-Delete-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws076809593855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws076809593855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws929968731447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws929968731455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws929968731455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws076809593855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws076809593855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws0768095938160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c8747153269957097825196cc7343d351f3b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws9299687314160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws929968731447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws076809593855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.KeyVault/vaultstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.keyvault/vaults/hawestraws0768095938hawestraws076809593847d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a117665953961397091050ad163c031e38be6b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6btbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws929968731447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws929968731447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054hawestra-rgMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/hawestra-rg/providers/microsoft.storage/storageaccounts/hawestraws9299687314hawestraws929968731447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus21160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus21ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus21mlregoedfywus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus21ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus21160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus1mlregoedfyeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfyeus21mlregoedfyeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.storage/storageaccounts/mlregoedfywus1mlregoedfywus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfymlregoedfy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfymlregoedfy160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c2301613003442929976449e441566d8792d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfymlregoedfy160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c14964690428565797584f8e7133d43e7ae8a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfymlregoedfy160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c183298879773221411398ff43c0215fc2b5c/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5ctbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfymlregoedfyba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.041750109159906600906b115614afdfb4f6/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfymlregoedfy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-bugbash-eusMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-bugbash-eus/providers/microsoft.containerregistry/registries/mlregoedfymlregoedfy55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2kicha-wus2ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.017718906224026410856c62acd4d95271d71/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2kicha-wus255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus26605359390160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c8747153269957097825196cc7343d351f3b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus20679782231ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus20679782231160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus2067978223147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0f3c751bc90f549f9b903b5740be5eab055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus2660535939047d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a117665953961397091050ad163c031e38be6b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6btbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus2660535939055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus2660535939055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0f3c751bc90f549f9b903b5740be5eab0ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.041750109159906600906b115614afdfb4f6/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus2067978223147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus2067978223147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus2067978223147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus2067978223155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0f3c751bc90f549f9b903b5740be5eab0160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c2301613003442929976449e441566d8792d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0f3c751bc90f549f9b903b5740be5eab0160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c14964690428565797584f8e7133d43e7ae8a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus2067978223147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0f3c751bc90f549f9b903b5740be5eab0160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c183298879773221411398ff43c0215fc2b5c/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5ctbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus2067978223147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2kicha-wus2160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c23057737997671742969c7994a03e85cd7/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2kicha-wus2160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c165780325109665010637620c34b29d73144/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus266053593902338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f13816903777777977516c8e4d0a348a1a362/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362tbdmodify/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus2660535939055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus26605359390ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.07716402687079202705c7f4766e826cc01b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus266053593904df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd295754393777034286197f6b63bfe5a86b464/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus2660535939055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0f3c751bc90f549f9b903b5740be5eab055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus266053593902338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f46964228104916040047858cda978bcfbc2/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2tbdappend/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.containerregistry/registries/f3c751bc90f549f9b903b5740be5eab0f3c751bc90f549f9b903b5740be5eab055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus2660535939055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus2067978223155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus2067978223155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus266053593904df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd296086086491514027311992f05adeaae4147/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus2067978223155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus26605359390160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c236466222583652451b8df08c9a5e7240d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.storage/storageaccounts/kichawus20679782231kichawus2067978223155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2/providers/microsoft.keyvault/vaults/kichawus26605359390kichawus266053593901.0.05353f06bfd8b6546/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdKey-Vault-Soft-Delete-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus22078741157855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus22294203415555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus22294203415547d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a117665953961397091050ad163c031e38be6b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6btbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus22294203415555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus2229420341552338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f46964228104916040047858cda978bcfbc2/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2tbdappend/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus22294203415555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus2229420341552338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f13816903777777977516c8e4d0a348a1a362/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362tbdmodify/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus22294203415555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus22294203415555.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus22078741157855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus220787411578ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus22078741157855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-2kicha-wus2-2ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.017718906224026410856c62acd4d95271d71/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus22078741157855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-2kicha-wus2-2160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c23057737997671742969c7994a03e85cd7/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-2kicha-wus2-2160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c165780325109665010637620c34b29d73144/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus22078741157847d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus22078741157847d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus222942034155160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c8747153269957097825196cc7343d351f3b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus2229420341554df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd296086086491514027311992f05adeaae4147/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus222942034155160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c236466222583652451b8df08c9a5e7240d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus22078741157855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus222942034155ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.07716402687079202705c7f4766e826cc01b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus2229420341551.0.05353f06bfd8b6546/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdKey-Vault-Soft-Delete-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus22078741157847d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus22078741157847d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus22078741157847d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus22078741157847d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.storage/storageaccounts/kichawus220787411578kichawus220787411578160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.keyvault/vaults/kichawus222942034155kichawus2229420341554df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd295754393777034286197f6b63bfe5a86b464/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-2Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-2/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-2kicha-wus2-255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a14255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a14255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a14255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a14247d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a142ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a142160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a14247d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a14247d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a5bf2b362a0fc46448255d1ce1caa543a160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c2301613003442929976449e441566d8792d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a14247d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a14247d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a14255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a5bf2b362a0fc46448255d1ce1caa543a160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c14964690428565797584f8e7133d43e7ae8a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus23899936066747d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus23899936066747d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a5bf2b362a0fc46448255d1ce1caa543a55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus23899936066755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus23899936066755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus23899936066755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus23899936066755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus238999360667ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a5bf2b362a0fc46448255d1ce1caa543a160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c183298879773221411398ff43c0215fc2b5c/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5ctbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa2338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f46964228104916040047858cda978bcfbc2/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2tbdappend/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus23899936066747d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus23899936066747d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus23899936066747d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a14247d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a5bf2b362a0fc46448255d1ce1caa543a55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a5bf2b362a0fc46448255d1ce1caa543aba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.041750109159906600906b115614afdfb4f6/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus238999360667160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/testwscrstorageee6a2a142testwscrstorageee6a2a14255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus23985379691855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus239853796918160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c236466222583652451b8df08c9a5e7240d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa1.0.05353f06bfd8b6546/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdKey-Vault-Soft-Delete-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa47d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a117665953961397091050ad163c031e38be6b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6btbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-3kicha-wus2-355.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-3kicha-wus2-3ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.017718906224026410856c62acd4d95271d71/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-3kicha-wus2-3160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c23057737997671742969c7994a03e85cd7/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/kicha-wus2-3kicha-wus2-3160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c165780325109665010637620c34b29d73144/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/test_ws_creationtest_ws_creation55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/test_ws_creationtest_ws_creationba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.017718906224026410856c62acd4d95271d71/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/test_ws_creationtest_ws_creation160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c23057737997671742969c7994a03e85cd7/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.MachineLearningServices/workspacestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.machinelearningservices/workspaces/test_ws_creationtest_ws_creation160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c165780325109665010637620c34b29d73144/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249faba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.07716402687079202705c7f4766e826cc01b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa4df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd295754393777034286197f6b63bfe5a86b464/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa4df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd296086086491514027311992f05adeaae4147/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c236466222583652451b8df08c9a5e7240d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c8747153269957097825196cc7343d351f3b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus23985379691847d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a117665953961397091050ad163c031e38be6b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6btbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus239853796918160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c8747153269957097825196cc7343d351f3b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus23899936066747d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.containerregistry/registries/5bf2b362a0fc46448255d1ce1caa543a5bf2b362a0fc46448255d1ce1caa543a55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus2398537969182338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f46964228104916040047858cda978bcfbc2/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2tbdappend/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/testwscrkeyvault338249fatestwscrkeyvault338249fa2338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f13816903777777977516c8e4d0a348a1a362/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362tbdmodify/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus23985379691855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus23985379691855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus2398537969184df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd296086086491514027311992f05adeaae4147/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus2398537969184df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd295754393777034286197f6b63bfe5a86b464/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus239853796918ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.07716402687079202705c7f4766e826cc01b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus2398537969181.0.05353f06bfd8b6546/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdKey-Vault-Soft-Delete-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus23985379691855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus2398537969182338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f13816903777777977516c8e4d0a348a1a362/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362tbdmodify/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.KeyVault/vaultstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.keyvault/vaults/kichawus239853796918kichawus23985379691855.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054kicha-wus2-3Microsoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/kicha-wus2-3/providers/microsoft.storage/storageaccounts/kichawus238999360667kichawus23899936066755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated07660743518755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated076607435187ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated03501841126455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated07009063002055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated07009063002055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated070090630020160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated070090630020ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated07660743518747d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated07009063002055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated07660743518755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated07009063002047d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc733216584647d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated07660743518747d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated03224274546955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated07660743518755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated03224274546947d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a117665953961397091050ad163c031e38be6b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6btbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated07660743518755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated07009063002055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated07660743518755.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated076607435187160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated07009063002047d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated07660743518747d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated07009063002047d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated07660743518747d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated07009063002047d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated07660743518747d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc733216584655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc733216584655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc733216584655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc733216584655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc7332165846ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc7332165846160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc733216584647d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc733216584647d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc733216584647d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc733216584647d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdswitzerlandnorthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated076607435187lantacreated07660743518747d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated07881167068147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a117665953961397091050ad163c031e38be6b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6btbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated07881167068155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated03501841126447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated07009063002055.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc733216584655.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated07009063002047d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated070090630020lantacreated07009063002047d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantam3y2022wc7332165846lantam3y2022wc733216584647d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.MachineLearningServices/workspacestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created03-18-2022lanta-created03-18-202255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated03501841126447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated07881167068155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated07881167068155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated07881167068155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated0788116706812338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f13816903777777977516c8e4d0a348a1a362/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362tbdmodify/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated073817376534160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c8747153269957097825196cc7343d351f3b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated0788116706812338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f46964228104916040047858cda978bcfbc2/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2tbdappend/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated073817376534160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c236466222583652451b8df08c9a5e7240d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated0738173765344df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd296086086491514027311992f05adeaae4147/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated0738173765344df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd295754393777034286197f6b63bfe5a86b464/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated073817376534ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.07716402687079202705c7f4766e826cc01b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated0738173765341.0.05353f06bfd8b6546/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdKey-Vault-Soft-Delete-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated07381737653455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated07381737653455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated07381737653455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated07381737653455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated07881167068155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated0738173765342338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f13816903777777977516c8e4d0a348a1a362/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362tbdmodify/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated0788116706811.0.05353f06bfd8b6546/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdKey-Vault-Soft-Delete-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated0788116706814df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd295754393777034286197f6b63bfe5a86b464/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.MachineLearningServices/workspacestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created03-18-2022lanta-created03-18-2022160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c23057737997671742969c7994a03e85cd7/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.MachineLearningServices/workspacestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created03-18-2022lanta-created03-18-2022160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c165780325109665010637620c34b29d73144/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.MachineLearningServices/workspacestbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-27-2022lanta-created07-27-2022160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c165780325109665010637620c34b29d73144/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.MachineLearningServices/workspacestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created03-18-2022lanta-created03-18-2022ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.017718906224026410856c62acd4d95271d71/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.MachineLearningServices/workspacestbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-27-2022lanta-created07-27-2022160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c23057737997671742969c7994a03e85cd7/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.MachineLearningServices/workspacestbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-27-2022lanta-created07-27-2022ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.017718906224026410856c62acd4d95271d71/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.MachineLearningServices/workspacestbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-27-2022lanta-created07-27-202255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.MachineLearningServices/workspacestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-18-2022lanta-created07-18-2022160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c165780325109665010637620c34b29d73144/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7620c34b29d73144tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.MachineLearningServices/workspacestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-18-2022lanta-created07-18-2022160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c23057737997671742969c7994a03e85cd7/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/69c7994a03e85cd7tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.MachineLearningServices/workspacestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-18-2022lanta-created07-18-202255.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0azuremachinelearningworkspacesshoulduseprivatelinkmonitoringeffect40cec1dd-a100-4920-b15b-3024fe8901ab/providers/microsoft.authorization/policydefinitions/40cec1dd-a100-4920-b15b-3024fe8901abazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.Machine LearningAzure Machine Learning workspaces should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated07381737653447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a117665953961397091050ad163c031e38be6b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ad163c031e38be6btbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated07381737653455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center5.0.0diagnosticslogsinkeyvaultmonitoringcf820ca0-f99e-4f3e-84fb-66e913812d21/providers/microsoft.authorization/policydefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromisedKey VaultResource logs in Key Vault should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated078811670681160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c8747153269957097825196cc7343d351f3b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated078811670681160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c236466222583652451b8df08c9a5e7240d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated0788116706814df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd296086086491514027311992f05adeaae4147/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdswitzerlandnorthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated078811670681lantacreated078811670681ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.07716402687079202705c7f4766e826cc01b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated073817376534lantacreated0738173765342338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f46964228104916040047858cda978bcfbc2/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2tbdappend/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.MachineLearningServices/workspacestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.machinelearningservices/workspaces/lanta-created07-18-2022lanta-created07-18-2022ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.017718906224026410856c62acd4d95271d71/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c62acd4d95271d71tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated032242745469160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c236466222583652451b8df08c9a5e7240d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/b8df08c9a5e7240dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc813e141df6df1d42e69a1416564e04fc81160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c14964690428565797584f8e7133d43e7ae8a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc813e141df6df1d42e69a1416564e04fc81160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c183298879773221411398ff43c0215fc2b5c/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5ctbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc813e141df6df1d42e69a1416564e04fc81ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.041750109159906600906b115614afdfb4f6/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc813e141df6df1d42e69a1416564e04fc8155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc813e141df6df1d42e69a1416564e04fc8155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated03501841126455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated03501841126455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated03501841126455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated03501841126455.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated03501841126447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated035018411264160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated032242745469160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c8747153269957097825196cc7343d351f3b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/196cc7343d351f3btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated03501841126447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated03501841126447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated03501841126447d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc813e141df6df1d42e69a1416564e04fc81160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c2301613003442929976449e441566d8792d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacrlantaacr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.storage/storageaccounts/lantacreated035018411264lantacreated035018411264ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacrlantaacrba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.041750109159906600906b115614afdfb4f6/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacrlantaacr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated032242745469ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.07716402687079202705c7f4766e826cc01b/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c7f4766e826cc01btbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated0322427454694df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd295754393777034286197f6b63bfe5a86b464/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f6b63bfe5a86b464tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated03224274546955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.1.0-previewprivateendpointshouldbeconfiguredforkeyvaultmonitoringeffect5f0bc445-3935-4915-9981-011aa2b46147/providers/microsoft.authorization/policydefinitions/5f0bc445-3935-4915-9981-011aa2b46147System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.Key Vault[Preview]: Private endpoint should be configured for Key Vault
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated03224274546955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0firewallshouldbeenabledonkeyvaultmonitoringeffect55615ac9-af46-4a59-874e-391cc3dfb490/providers/microsoft.authorization/policydefinitions/55615ac9-af46-4a59-874e-391cc3dfb490System.Object[]tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinEnable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-securityKey VaultAzure Key Vault should have firewall enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated03224274546955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.0.0keyvaultsshouldhavesoftdeleteenabledmonitoringeffect1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d/providers/microsoft.authorization/policydefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dazure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.Key VaultKey vaults should have soft delete enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated03224274546955.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0keyvaultsshouldhavepurgeprotectionenabledmonitoringeffect0b60c0b2-2dc2-4e1c-b5c9-abbed971de53/providers/microsoft.authorization/policydefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53azure_security_benchmark_v3.0_dp-8tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.Key VaultKey vaults should have purge protection enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated0322427454691.0.05353f06bfd8b6546/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/5353f06bfd8b6546tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdKey-Vault-Soft-Delete-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/key-vault-soft-delete-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated0322427454694df59e9ddb1bfd29/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/4df59e9ddb1bfd296086086491514027311992f05adeaae4147/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/992f05adeaae4147tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit2-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit2-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated0322427454692338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f46964228104916040047858cda978bcfbc2/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/7858cda978bcfbc2tbdappend/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacrlantaacr55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/3e141df6df1d42e69a1416564e04fc813e141df6df1d42e69a1416564e04fc8155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacrlantaacr160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c2301613003442929976449e441566d8792d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.KeyVault/vaultstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.keyvault/vaults/lantacreated032242745469lantacreated0322427454692338abe645719b8f/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/2338abe645719b8f13816903777777977516c8e4d0a348a1a362/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/c8e4d0a348a1a362tbdmodify/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdAKV-SD-Initiative-v001/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/akv-sd-initiative-v001
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacrlantaacr160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c183298879773221411398ff43c0215fc2b5c/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5ctbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054Lanta-RGMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/lanta-rg/providers/microsoft.containerregistry/registries/lantaacrlantaacr160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c14964690428565797584f8e7133d43e7ae8a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumscus1mlregontumscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnortheuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumneu1mlregontumneu147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus21ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus21160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbduksouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumuks1mlregontumuks155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdsoutheastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumsea1mlregontumsea155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus21mlregontumwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwcus1mlregontumwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumwus1mlregontumwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdwesteuropeFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumweu1mlregontumweu1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontummlregontum55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontummlregontum160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c2301613003442929976449e441566d8792d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontummlregontum160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c14964690428565797584f8e7133d43e7ae8a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontummlregontum160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c183298879773221411398ff43c0215fc2b5c/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5ctbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontummlregontumba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.041750109159906600906b115614afdfb4f6/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontummlregontum55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.ContainerRegistry/registriestbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.containerregistry/registries/mlregontummlregontum55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdbrazilsouthTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumbrs1mlregontumbrs155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapaneastTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpe1mlregontumjpe155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcus1mlregontumcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcanadacentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcac1mlregontumcac155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdcentralindiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumcind1mlregontumcind155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdnorthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumncus1mlregontumncus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdaustraliaeastFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumaue1mlregontumaue155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdjapanwestFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumjpw1mlregontumjpw155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus21160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus21ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus1mlregontumeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastasiaFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeas1mlregontumeas147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumeus21mlregontumeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_private_preview_registryMicrosoft.Storage/storageAccountstbdfrancecentralTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_private_preview_registry/providers/microsoft.storage/storageaccounts/mlregontumfrc1mlregontumfrc155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnmmlregfudnm160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c183298879773221411398ff43c0215fc2b5c/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5ctbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54mmlregjn54mba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.041750109159906600906b115614afdfb4f6/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnmmlregfudnmba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.041750109159906600906b115614afdfb4f6/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/6b115614afdfb4f6tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnmmlregfudnm160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c14964690428565797584f8e7133d43e7ae8a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54mmlregjn54m55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54mmlregjn54m160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c14964690428565797584f8e7133d43e7ae8a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8e7133d43e7ae8atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnmmlregfudnm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1containerregistriesshoulduseprivatelinkmonitoringeffecte8eef0a8-67cf-4eb4-9386-14b0e78733d4/providers/microsoft.authorization/policydefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.Container RegistryContainer registries should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54mmlregjn54m55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnmmlregfudnm160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c2301613003442929976449e441566d8792d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnmmlregfudnm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0containerregistriesshouldnotallowunrestrictednetworkaccessmonitoringeffectd0793b48-0edc-4296-a390-4c75d1bdfd71/providers/microsoft.authorization/policydefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.Container RegistryContainer registries should not allow unrestricted network access
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54mmlregjn54m160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c2301613003442929976449e441566d8792d/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/449e441566d8792dtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54mmlregjn54m55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregfudnmmlregfudnm55.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.1containerregistryvulnerabilityassessment5f0f936f-2f01-4bf5-b6be-d423792fa562/providers/microsoft.authorization/policydefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562System.Object[]tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinContainer image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.Security CenterContainer registry images should have vulnerability findings resolved
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.ContainerRegistry/registriestbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.containerregistry/registries/mlregjn54mmlregjn54m160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c183298879773221411398ff43c0215fc2b5c/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8ff43c0215fc2b5ctbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus21160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus21ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus21mlregjn54mwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mscus1mlregjn54mscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwus1mlregjn54mwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus21ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus21160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdsouthcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmscus1mlregfudnmscus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus1mlregfudnmeus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus21160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus21ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwcus1mlregfudnmwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1129213750941897029333690c8076353f9/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/3690c8076353f9tbdauditifnotexists/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus1160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus1mlregfudnmwus147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.1storageaccountsshouldrestrictnetworkaccessusingvirtualnetworkrulesmonitoringeffect2a1a9cdf-e04d-429a-8416-3bfb72a1b26f/providers/microsoft.authorization/policydefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26fazure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.StorageStorage accounts should restrict network access using virtual network rules
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus21ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus21160bc010a809a54c/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/160bc010a809a54c1709027566279544712796d6d845984b3595/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/96d6d845984b3595tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit1-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit1-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1251291010356515190333109c61cebcee66/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/33109c61cebcee66tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a15029525481295684804abfa13034515d626/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/abfa13034515d626tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a1121579462494995493798086c3485abfabde/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/8086c3485abfabdetbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a12997960159391222263cc275f6260404a9a/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/cc275f6260404a9atbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmwus21mlregfudnmwus2147d8e1d3106c85a1/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/47d8e1d3106c85a18127684034919606540ffb3acd578d03dc3/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/ffb3acd578d03dc3tbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdASB-Audit3-Initiative-v1/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/asb-audit3-initiative-v1
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregfudnmeus21mlregfudnmeus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0storageaccountshoulduseaprivatelinkconnectionmonitoringeffect6edd7eda-6dd8-40f7-810d-67160c639cd9/providers/microsoft.authorization/policydefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9azure_security_benchmark_v3.0_ns-2tbdauditifnotexists/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverviewStorageStorage accounts should use private link
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center2.0.0securetransfertostorageaccountmonitoring404c3081-a854-4457-ae30-26a93ef643f9/providers/microsoft.authorization/policydefinitions/404c3081-a854-4457-ae30-26a93ef643f9azure_security_benchmark_v3.0_dp-3tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAudit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijackingStorageSecure transfer to storage accounts should be enabled
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2TrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastusTrueCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus1mlregjn54meus155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center1.0.0classicstorageaccountsmonitoring37e0d2fe-28a5-43d6-a273-67d37d1f5606/providers/microsoft.authorization/policydefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606azure_security_benchmark_v3.0_am-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinUse new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security managementStorageStorage accounts should be migrated to new Azure Resource Manager resources
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdeastus2FalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54meus21mlregjn54meus2155.0.01f3afdf9-d0c9-4c3d-847f-89da613e70a8/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8security center3.1.0-previewstoragedisallowpublicaccess4fa4b6c0-31ca-4c0d-b10d-24b96f62a751/providers/microsoft.authorization/policydefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751azure_security_benchmark_v3.0_ns-2tbdaudit/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054tbdSecurityCenterBuiltIn/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/providers/microsoft.authorization/policyassignments/securitycenterbuiltinAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.Storage[Preview]: Storage account public access should be disallowed
e0fd569c-e34a-4249-8c24-e8d723c7f054rai_registryMicrosoft.Storage/storageAccountstbdwestcentralusFalseNonCompliant/subscriptions/e0fd569c-e34a-4249-8c24-e8d723c7f054/resourcegroups/rai_registry/providers/microsoft.storage/storageaccounts/mlregjn54mwcus1mlregjn54mwcus1ba5e650e435f7c81/providers/Microsoft.Management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/Microsoft.Authorization/policySetDefinitions/ba5e650e435f7c811.014852652528315679993f8db185c400632fd/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policydefinitions/f8db185c400632fdtbdaudit/providers/Microsoft.Management/managementGroups/48fed3a1-0814-4847-88ce-b766155f2792tbdSEC-NetIso-PaaS-v012/providers/microsoft.management/managementgroups/48fed3a1-0814-4847-88ce-b766155f2792/providers/microsoft.authorization/policyassignments/sec-netiso-paas-v012